Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90626 - app-arch/gzip zgrep issue (CAN-2005-0758)
Summary: app-arch/gzip zgrep issue (CAN-2005-0758)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa] jaervosz
Keywords:
Depends on: 89946
Blocks:
  Show dependency tree
 
Reported: 2005-04-27 08:28 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-05-09 12:44 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:28:31 UTC
This old issue seems unfixed in our zgrep.

> zgrep contains the following gem:
>
> for i do
> [snip]
>      if test $with_filename -eq 1; then
>        sed_script="s|^[^:]*:|${i}:|"
>      else
>        sed_script="s|^|${i}:|"
>      fi
>      $grep $opt "$pat" | sed "$sed_script"
> [snip]
> done
>
> Aside of the correctness issues (try to use zgrep on files with e.g. '&' in
> names), it leads to obvious fun when zgrep arguments had been obtained
> by globbing in an untrusted place.  Even with standard sed we have at
> least ;w<filename>; to deal with; for GNU sed there's also ;e; on top
> of that (execute the contents of pattern space).  bzgrep is no better -
> it's based on zgrep.
>
> AFAICS, there are two solutions - one is to do what *BSD had done and
> make grep(1) use zlib and libbz; then zgrep et.al. become links to
> grep.  Another is to quote \, |, ; and newlines, which means extra
> invocation of sed(1)...
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:42:07 UTC
And the proposed patch by Red Hat:

--- zgrep.in
+++ zgrep.in
@@ -24,7 +24,7 @@
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-04-27 08:42:07 UTC
And the proposed patch by Red Hat:

--- zgrep.in
+++ zgrep.in
@@ -24,7 +24,7 @@
 
 PATH="BINDIR:$PATH"; export PATH
 
-prog=`echo $0 | sed 's|.*/||'`
+prog=`echo "$0" | sed 's|.*/||'`
 case "$prog" in
        *egrep) grep=${EGREP-egrep -a}  ;;
        *fgrep) grep=${FGREP-fgrep -a}  ;;
@@ -112,12 +112,15 @@
   fi
   $uncompress -cdfq "$i" |
     if test $files_with_matches -eq 1; then
-      $grep $opt "$pat" > /dev/null && echo $i
+      $grep $opt "$pat" > /dev/null && printf "%s\n" "$i"
     elif test $files_without_matches -eq 1; then
-      $grep $opt "$pat" > /dev/null || echo $i
+      $grep $opt "$pat" > /dev/null || printf "%s\n" "$i"
     elif test $with_filename -eq 0 && { test $# -eq 1 || test $no_filename -eq 1; }; then
       $grep $opt "$pat"
     else
+      i=${i//\\/\\\\}
+      i=${i//|/\\|}
+      i=${i//&/\\&}
       if test $with_filename -eq 1; then
        sed_script="s|^[^:]*:|${i}:|"
       else
Comment 3 SpanKY gentoo-dev 2005-05-02 15:01:10 UTC
gzip-1.3.5-r6 now in portage with the fix

also we can probably open the bug considering redhat has the fix in their public cvs
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-02 22:23:23 UTC
Opening.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-05-09 12:44:59 UTC
GLSA 200505-05