Bug 159819

Summary: CAN-2005-0758 bzgrep has security issue in sed usage
Product: [Fedora] Fedora Reporter: Mark J. Cox <mjc>
Component: bzip2Assignee: Jiri Ryska <jryska>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: bressers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: bzip2-1.0.2-16.FC4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-17 11:34:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark J. Cox 2005-06-08 09:58:13 UTC
+++ This bug was initially created as a clone of Bug #121514 +++

Al Viro posted to vendor-sec on Apr22:

zgrep contains the following gem:

for i do
[snip]
      if test $with_filename -eq 1; then
        sed_script="s|^[^:]*:|${i}:|"
      else
        sed_script="s|^|${i}:|"
      fi
      $grep $opt "$pat" | sed "$sed_script"
[snip]
done

Aside of the correctness issues (try to use zgrep on files with e.g.
'&' in names), it leads to obvious fun when zgrep arguments had been
obtained by globbing in an untrusted place.  Even with standard sed we
have at least ;w<filename>; to deal with; for GNU sed there's also ;e;
on top of that (execute the contents of pattern space).  bzgrep is no
better - it's based on zgrep.

AFAICS, there are two solutions - one is to do what *BSD had done and
make grep(1) use zlib and libbz; then zgrep et.al. become links to
grep.  Another is to quote \, |, ; and newlines, which means extra
invocation of sed(1)...