A week ago, this vulnerability in the GNU zgrep script and its
xzgrep offspring was announced:
https://www.openwall.com/lists/oss-security/2022/04/07/8
A number of compression tools ship with some *grep script, so here's
the rundown:
* GNU gzip (zgrep) -- n/a
We have our own gzip in base, our zgrep(1) is not a script.
* archivers/xz (xzgrep) -- AFFECTED
Upstream fix committed.
* archivers/bzip2 (bzgrep) -- not affected
Filenames are run through tr '\n' ' '.
* archivers/zstd (zstdgrep) -- not affected
Filenames are set unportably with grep's --label option.
* archivers/unzip (zipgrep) -- AFFECTED
archive member names are extracted with unzip -Z1, which renders
\n as ^J. However, the result is processed by shell command
substitution, so it undergoes field splitting and pathname
expansion. If a file with an exploitable name is present in the
current working directory, a archive member with a shell wildcard
in its name may inadvertently feed it to sed. Yes, it's convoluted.
The xzgrep fix can be applied.
That's all I can find.
--
Christian "naddy" Weisgerber naddy@mips.inka.de
No comments:
Post a Comment