Red Hat Bugzilla – Bug 159817
CAN-2005-0758 bzgrep has security issue in sed usage
Last modified: 2007-11-30 17:11:07 EST
Note this is already fixed in FC4 (since FC4-re0522.0)
+++ This bug was initially created as a clone of Bug #121514 +++
Al Viro posted to vendor-sec on Apr22:
zgrep contains the following gem:
for i do
if test $with_filename -eq 1; then
$grep $opt "$pat" | sed "$sed_script"
Aside of the correctness issues (try to use zgrep on files with e.g.
'&' in names), it leads to obvious fun when zgrep arguments had been
obtained by globbing in an untrusted place. Even with standard sed we
have at least ;w<filename>; to deal with; for GNU sed there's also ;e;
on top of that (execute the contents of pattern space). bzgrep is no
better - it's based on zgrep.
AFAICS, there are two solutions - one is to do what *BSD had done and
make grep(1) use zlib and libbz; then zgrep et.al. become links to
grep. Another is to quote \, |, ; and newlines, which means extra
invocation of sed(1)...
(actually does affect FC4, creating separate bug)
*** Bug 159818 has been marked as a duplicate of this bug. ***
The fix for FC3's bzgrep is not completely correct, from what I can tell.
For details, please see bug 159816 comment #2 and bug 159816 comment #3.
I do not know if this represents a security problem or not.