Bug 159817 - CAN-2005-0758 bzgrep has security issue in sed usage
CAN-2005-0758 bzgrep has security issue in sed usage
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: bzip2 (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jiri Ryska
Ben Levenson
: Security
: 159818 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-08 05:54 EDT by Mark J. Cox (Product Security)
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: bzip2-1.0.2-13.FC3.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-17 07:33:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mark J. Cox (Product Security) 2005-06-08 05:54:43 EDT
Note this is already fixed in FC4 (since FC4-re0522.0)

+++ This bug was initially created as a clone of Bug #121514 +++

Al Viro posted to vendor-sec on Apr22:

zgrep contains the following gem:

for i do
[snip]
      if test $with_filename -eq 1; then
        sed_script="s|^[^:]*:|${i}:|"
      else
        sed_script="s|^|${i}:|"
      fi
      $grep $opt "$pat" | sed "$sed_script"
[snip]
done

Aside of the correctness issues (try to use zgrep on files with e.g.
'&' in names), it leads to obvious fun when zgrep arguments had been
obtained by globbing in an untrusted place.  Even with standard sed we
have at least ;w<filename>; to deal with; for GNU sed there's also ;e;
on top of that (execute the contents of pattern space).  bzgrep is no
better - it's based on zgrep.

AFAICS, there are two solutions - one is to do what *BSD had done and
make grep(1) use zlib and libbz; then zgrep et.al. become links to
grep.  Another is to quote \, |, ; and newlines, which means extra
invocation of sed(1)...
Comment 1 Mark J. Cox (Product Security) 2005-06-08 05:56:45 EDT
(actually does affect FC4, creating separate bug)
Comment 2 Jiri Ryska 2005-06-08 09:20:11 EDT
*** Bug 159818 has been marked as a duplicate of this bug. ***
Comment 3 David Eisenstein 2005-09-08 02:05:07 EDT
The fix for FC3's bzgrep is not completely correct, from what I can tell.

For details, please see bug 159816 comment #2 and bug 159816 comment #3.

I do not know if this represents a security problem or not.

Note You need to log in before you can comment on or make changes to this bug.