Bug 90626 - app-arch/gzip zgrep issue (CAN-2005-0758)
|
Bug#:
90626
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: jaervosz@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: app-arch/gzip zgrep issue (CAN-2005-0758)
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa] jaervosz
|
|
Opened: 2005-04-27 08:28 0000
|
This old issue seems unfixed in our zgrep.
> zgrep contains the following gem:
>
> for i do
> [snip]
> if test $with_filename -eq 1; then
> sed_script="s|^[^:]*:|${i}:|"
> else
> sed_script="s|^|${i}:|"
> fi
> $grep $opt "$pat" | sed "$sed_script"
> [snip]
> done
>
> Aside of the correctness issues (try to use zgrep on files with e.g. '&' in
> names), it leads to obvious fun when zgrep arguments had been obtained
> by globbing in an untrusted place. Even with standard sed we have at
> least ;w<filename>; to deal with; for GNU sed there's also ;e; on top
> of that (execute the contents of pattern space). bzgrep is no better -
> it's based on zgrep.
>
> AFAICS, there are two solutions - one is to do what *BSD had done and
> make grep(1) use zlib and libbz; then zgrep et.al. become links to
> grep. Another is to quote \, |, ; and newlines, which means extra
> invocation of sed(1)...
And the proposed patch by Red Hat:
--- zgrep.in
+++ zgrep.in
@@ -24,7 +24,7 @@
And the proposed patch by Red Hat:
--- zgrep.in
+++ zgrep.in
@@ -24,7 +24,7 @@
PATH="BINDIR:$PATH"; export PATH
-prog=`echo $0 | sed 's|.*/||'`
+prog=`echo "$0" | sed 's|.*/||'`
case "$prog" in
*egrep) grep=${EGREP-egrep -a} ;;
*fgrep) grep=${FGREP-fgrep -a} ;;
@@ -112,12 +112,15 @@
fi
$uncompress -cdfq "$i" |
if test $files_with_matches -eq 1; then
- $grep $opt "$pat" > /dev/null && echo $i
+ $grep $opt "$pat" > /dev/null && printf "%s\n" "$i"
elif test $files_without_matches -eq 1; then
- $grep $opt "$pat" > /dev/null || echo $i
+ $grep $opt "$pat" > /dev/null || printf "%s\n" "$i"
elif test $with_filename -eq 0 && { test $# -eq 1 || test $no_filename -eq 1; }; then
$grep $opt "$pat"
else
+ i=${i//\\/\\\\}
+ i=${i//|/\\|}
+ i=${i//&/\\&}
if test $with_filename -eq 1; then
sed_script="s|^[^:]*:|${i}:|"
else
gzip-1.3.5-r6 now in portage with the fix
also we can probably open the bug considering redhat has the fix in their public cvs
