Bug 159818 - CAN-2005-0758 bzgrep has security issue in sed usage
Summary: CAN-2005-0758 bzgrep has security issue in sed usage
Status: CLOSED DUPLICATE of bug 159817
Alias: None
Product: Fedora
Classification: Fedora
Component: bzip2
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jiri Ryska
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-08 09:57 UTC by Mark J. Cox
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2005-06-08 13:20:00 UTC


Attachments (Terms of Use)

Description Mark J. Cox 2005-06-08 09:57:06 UTC
Note this is already fixed in FC4 (since FC4-re0522.0)

+++ This bug was initially created as a clone of Bug #121514 +++

Al Viro posted to vendor-sec on Apr22:

zgrep contains the following gem:

for i do
[snip]
      if test $with_filename -eq 1; then
        sed_script="s|^[^:]*:|${i}:|"
      else
        sed_script="s|^|${i}:|"
      fi
      $grep $opt "$pat" | sed "$sed_script"
[snip]
done

Aside of the correctness issues (try to use zgrep on files with e.g.
'&' in names), it leads to obvious fun when zgrep arguments had been
obtained by globbing in an untrusted place.  Even with standard sed we
have at least ;w<filename>; to deal with; for GNU sed there's also ;e;
on top of that (execute the contents of pattern space).  bzgrep is no
better - it's based on zgrep.

AFAICS, there are two solutions - one is to do what *BSD had done and
make grep(1) use zlib and libbz; then zgrep et.al. become links to
grep.  Another is to quote \, |, ; and newlines, which means extra
invocation of sed(1)...

Comment 1 Jiri Ryska 2005-06-08 13:20:00 UTC

*** This bug has been marked as a duplicate of 159817 ***


Note You need to log in before you can comment on or make changes to this bug.