Bug 121514
| Summary: | CAN-2005-0758 zgrep has security issue in sed usage | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark J. Cox <mjc> |
| Component: | gzip | Assignee: | Ivana Varekova <varekova> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.0 | CC: | bressers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=low,public=20050422,source=redhat,reported=20040422 | ||
| Fixed In Version: | RHSA-2005-357 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-06-13 12:12:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of 123012 *** not a duplicate. 123012 refers to this bug as it applies to Fedora Core; this bug refers to Red Hat Enterprise Linux. The two will probably require different solutions. Ping on this issue (now that there is a new maintainer) The new version 1.3.3-10.rhel3 is in errata process now. Ivana Varekova Ivana, Can you verify if this issue also affects RHEL2.1 and RHEL4? My notes say yes but the bug doesn't specify. Yes I will verify it. Ivana New RHEL2.1 and RHEL4 versions are in errata process now. Ivana Varekova Testing successful with the following: gzip-1.3-16.rhel2 gzip-1.3.3-10.rhel3 gzip-1.3.3-14.rhel4 Lifting embargo An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-357.html |
Al Viro posted to vendor-sec on Apr22: zgrep contains the following gem: for i do [snip] if test $with_filename -eq 1; then sed_script="s|^[^:]*:|${i}:|" else sed_script="s|^|${i}:|" fi $grep $opt "$pat" | sed "$sed_script" [snip] done Aside of the correctness issues (try to use zgrep on files with e.g. '&' in names), it leads to obvious fun when zgrep arguments had been obtained by globbing in an untrusted place. Even with standard sed we have at least ;w<filename>; to deal with; for GNU sed there's also ;e; on top of that (execute the contents of pattern space). bzgrep is no better - it's based on zgrep. AFAICS, there are two solutions - one is to do what *BSD had done and make grep(1) use zlib and libbz; then zgrep et.al. become links to grep. Another is to quote \, |, ; and newlines, which means extra invocation of sed(1)... Treating as embargoed. Also affects bzip2 package; not creating extra bug at this time