Red Hat Bugzilla – Bug 121514
CAN-2005-0758 zgrep has security issue in sed usage
Last modified: 2007-11-30 17:07:01 EST
Al Viro posted to vendor-sec on Apr22:
zgrep contains the following gem:
for i do
if test $with_filename -eq 1; then
$grep $opt "$pat" | sed "$sed_script"
Aside of the correctness issues (try to use zgrep on files with e.g.
'&' in names), it leads to obvious fun when zgrep arguments had been
obtained by globbing in an untrusted place. Even with standard sed we
have at least ;w<filename>; to deal with; for GNU sed there's also ;e;
on top of that (execute the contents of pattern space). bzgrep is no
better - it's based on zgrep.
AFAICS, there are two solutions - one is to do what *BSD had done and
make grep(1) use zlib and libbz; then zgrep et.al. become links to
grep. Another is to quote \, |, ; and newlines, which means extra
invocation of sed(1)...
Treating as embargoed.
Also affects bzip2 package; not creating extra bug at this time
*** This bug has been marked as a duplicate of 123012 ***
not a duplicate. 123012 refers to this bug as it applies to Fedora
Core; this bug refers to Red Hat Enterprise Linux. The two will
probably require different solutions.
Ping on this issue (now that there is a new maintainer)
The new version 1.3.3-10.rhel3 is in errata process now.
Can you verify if this issue also affects RHEL2.1 and RHEL4? My notes say yes
but the bug doesn't specify.
Yes I will verify it.
New RHEL2.1 and RHEL4 versions are in errata process now.
Testing successful with the following:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.