90626 2005-04-27 08:28 0000 app-arch/gzip zgrep issue (CAN-2005-0758) 2005-05-09 12:44:59 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED A3 [glsa] jaervosz P2 normal --- 89946 1 jaervosz@gentoo.org security@gentoo.org jaervosz@gentoo.org 2005-04-27 08:28:31 0000 This old issue seems unfixed in our zgrep. > zgrep contains the following gem: > > for i do > [snip] > if test $with_filename -eq 1; then > sed_script="s|^[^:]*:|${i}:|" > else > sed_script="s|^|${i}:|" > fi > $grep $opt "$pat" | sed "$sed_script" > [snip] > done > > Aside of the correctness issues (try to use zgrep on files with e.g. '&' in > names), it leads to obvious fun when zgrep arguments had been obtained > by globbing in an untrusted place. Even with standard sed we have at > least ;w<filename>; to deal with; for GNU sed there's also ;e; on top > of that (execute the contents of pattern space). bzgrep is no better - > it's based on zgrep. > > AFAICS, there are two solutions - one is to do what *BSD had done and > make grep(1) use zlib and libbz; then zgrep et.al. become links to > grep. Another is to quote \, |, ; and newlines, which means extra > invocation of sed(1)... jaervosz@gentoo.org 2005-04-27 08:42:07 0000 And the proposed patch by Red Hat: --- zgrep.in +++ zgrep.in @@ -24,7 +24,7 @@ jaervosz@gentoo.org 2005-04-27 08:42:07 0000 And the proposed patch by Red Hat: --- zgrep.in +++ zgrep.in @@ -24,7 +24,7 @@    PATH="BINDIR:$PATH"; export PATH   -prog=`echo $0 | sed 's|.*/||'` +prog=`echo "$0" | sed 's|.*/||'`  case "$prog" in         *egrep) grep=${EGREP-egrep -a}  ;;         *fgrep) grep=${FGREP-fgrep -a}  ;; @@ -112,12 +112,15 @@    fi    $uncompress -cdfq "$i" |      if test $files_with_matches -eq 1; then -      $grep $opt "$pat" > /dev/null && echo $i +      $grep $opt "$pat" > /dev/null && printf "%s\n" "$i"      elif test $files_without_matches -eq 1; then -      $grep $opt "$pat" > /dev/null || echo $i +      $grep $opt "$pat" > /dev/null || printf "%s\n" "$i"      elif test $with_filename -eq 0 && { test $# -eq 1 || test $no_filename -eq 1; }; then        $grep $opt "$pat"      else +      i=${i//\\/\\\\} +      i=${i//|/\\|} +      i=${i//&/\\&}        if test $with_filename -eq 1; then         sed_script="s|^[^:]*:|${i}:|"        else vapier@gentoo.org 2005-05-02 15:01:10 0000 gzip-1.3.5-r6 now in portage with the fix also we can probably open the bug considering redhat has the fix in their public cvs jaervosz@gentoo.org 2005-05-02 22:23:23 0000 Opening. jaervosz@gentoo.org 2005-05-09 12:44:59 0000 GLSA 200505-05