Bug 1223341 (CVE-2015-4035)

Summary: CVE-2015-4035 xzgrep: incorrect parsing of filenames containing a semicolon
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: novyjindrich, praiskup, rjones
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xz 5.0.0, xz 5.2.0 Doc Type: Bug Fix
Doc Text:
It was discovered that the xzgrep's xz helper script did not properly sanitize certain file names. A local attacker could use this flaw to inject and execute arbitrary commands by tricking a user into running the xzgrep script on a file with a specially crafted file name.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-11 21:04:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1223342    

Description Martin Prpič 2015-05-20 11:28:21 UTC 
It was found that xzgrep did not correctly process file names containing a semicolon. A local attacker able to trick a user to run xzgrep on a specially crafted file could use this flaw to execute arbitrary code as the user running xzgrep.

$ touch /tmp/semi\;colon
$ xzgrep anystring /tmp/semi\;colon 
xz: /tmp/semi: No such file or directory
/usr/bin/xzgrep: line 199: colon: command not found

Additional details:

http://seclists.org/oss-sec/2015/q2/484
Comment 1 Stefan Cornelius 2015-06-02 11:07:52 UTC 
Upstream patch:

http://git.tukaani.org/?p=xz.git;a=commitdiff;h=f4b2b52624b802c786e4e2a8eb6895794dd93b24
Comment 2 Stefan Cornelius 2015-06-03 07:11:00 UTC 
Statement:

This issue affects the versions of xz as shipped with Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 3 Product Security DevOps Team 2021-06-11 21:04:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-4035