Note this is already fixed in FC4 (since FC4-re0522.0) +++ This bug was initially created as a clone of Bug #121514 +++ Al Viro posted to vendor-sec on Apr22: zgrep contains the following gem: for i do [snip] if test $with_filename -eq 1; then sed_script="s|^[^:]*:|${i}:|" else sed_script="s|^|${i}:|" fi $grep $opt "$pat" | sed "$sed_script" [snip] done Aside of the correctness issues (try to use zgrep on files with e.g. '&' in names), it leads to obvious fun when zgrep arguments had been obtained by globbing in an untrusted place. Even with standard sed we have at least ;w<filename>; to deal with; for GNU sed there's also ;e; on top of that (execute the contents of pattern space). bzgrep is no better - it's based on zgrep. AFAICS, there are two solutions - one is to do what *BSD had done and make grep(1) use zlib and libbz; then zgrep et.al. become links to grep. Another is to quote \, |, ; and newlines, which means extra invocation of sed(1)...
(actually does affect FC4, creating separate bug)
*** Bug 159818 has been marked as a duplicate of this bug. ***
The fix for FC3's bzgrep is not completely correct, from what I can tell. For details, please see bug 159816 comment #2 and bug 159816 comment #3. I do not know if this represents a security problem or not.