It was found that xzgrep did not correctly process file names containing a semicolon. A local attacker able to trick a user to run xzgrep on a specially crafted file could use this flaw to execute arbitrary code as the user running xzgrep.
$ touch /tmp/semi\;colon
$ xzgrep anystring /tmp/semi\;colon
xz: /tmp/semi: No such file or directory
/usr/bin/xzgrep: line 199: colon: command not found
This issue affects the versions of xz as shipped with Red Hat Enterprise Linux 5 and 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):