CVE-2012-5667
Publication date 3 January 2013
Last updated 24 July 2024
Ubuntu priority
Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow.
Status
Package | Ubuntu Release | Status |
---|---|---|
grep | ||
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
Notes
seth-arnold
Upstream recommends upgrading to 2.11, but include fixes for two bugs introduced in 2.11, and reverting the -r change. See oss-security/2012/12/22/3 for details. Upgrading to latest release may also make sense.
jdstrand
Reproducer for amd64 system (tested with 8G of RAM): perl -e ‘print “x”x(2**31)’ | grep x > /dev/null Ubuntu 8.04 LTS - 12.04 LTS confirmed to be affected. Each release segfaults. Ubuntu 12.10+ does not segfault RedHat bug has a reduced proposed patch that simply performs boundary checking but it has not been commented on as of 2013/05/07 This is arguably of low priority unless code-execution can be demonstrated