Debian Bug report logs - #308379
gzip: zgrep improperly sanitizes arguments (CAN-2005-0758)

version graph

Package: gzip; Maintainer for gzip is Bdale Garbee <>; Source for gzip is src:gzip.

Reported by: Isaac Clerencia <>

Date: Mon, 9 May 2005 20:48:01 UTC

Severity: important

Tags: patch, security

Found in version 1.3.5-9

Fixed in version gzip/1.3.5-10

Done: Bdale Garbee <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to, Bdale Garbee <>:
Bug#308379; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Isaac Clerencia <>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <>. Full text and rfc822 format available.

Message #5 received at (full text, mbox):

From: Isaac Clerencia <>
To: Debian Bug Tracking System <>
Subject: gzip: zgrep improperly sanitizes arguments (CAN-2005-0758)
Date: Mon, 09 May 2005 22:32:13 +0200
Package: gzip
Version: 1.3.5-9
Severity: important

Quoted from
> zgrep contains the following gem:
> for i do
> [snip]
>      if test $with_filename -eq 1; then
>        sed_script="s|^[^:]*:|${i}:|"
>      else
>        sed_script="s|^|${i}:|"
>      fi
>      $grep $opt "$pat" | sed "$sed_script"
> [snip]
> done
> Aside of the correctness issues (try to use zgrep on files with e.g.
> '&' in
> names), it leads to obvious fun when zgrep arguments had been obtained
> by globbing in an untrusted place.  Even with standard sed we have at
> least ;w<filename>; to deal with; for GNU sed there's also ;e; on top
> of that (execute the contents of pattern space).  bzgrep is no better
> -
> it's based on zgrep.
> AFAICS, there are two solutions - one is to do what *BSD had done and
> make grep(1) use zlib and libbz; then zgrep become links to
> grep.  Another is to quote \, |, ; and newlines, which means extra
> invocation of sed(1)...

A patch is available in the same thread

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)

Versions of packages gzip depends on:
ii  debianutils                 2.13.2       Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- no debconf information

Tags added: security Request was from Isaac Clerencia <> to Full text and rfc822 format available.

Tags added: security Request was from Joey Hess <> to Full text and rfc822 format available.

Tags added: patch Request was from Joey Hess <> to Full text and rfc822 format available.

Tags added: pending Request was from (Bdale Garbee) to Full text and rfc822 format available.

Reply sent to Bdale Garbee <>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Isaac Clerencia <>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #18 received at (full text, mbox):

From: Bdale Garbee <>
Subject: Bug#308379: fixed in gzip 1.3.5-10
Date: Sat, 21 May 2005 01:17:04 -0400
Source: gzip
Source-Version: 1.3.5-10

We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive:

  to pool/main/g/gzip/gzip_1.3.5-10.diff.gz
  to pool/main/g/gzip/gzip_1.3.5-10.dsc
  to pool/main/g/gzip/gzip_1.3.5-10_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Bdale Garbee <> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.7
Date: Fri, 20 May 2005 22:34:49 -0600
Source: gzip
Binary: gzip
Architecture: source i386
Version: 1.3.5-10
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <>
Changed-By: Bdale Garbee <>
 gzip       - The GNU compression utility
Closes: 263792 283730 303927 305255 308379
 gzip (1.3.5-10) unstable; urgency=medium
   * remove PAGER reference from zmore.1, closes: #263792
   * patch to improve zgrep argument sanitizing (CAN-2005-0758),
     closes: #308379
   * patch isolated by Petter Reinholdtsen for CAN-2005-0988, closes: #303927
   * patch for dir traversal bug (CAN-2005-1228), closes: #305255
   * up the priority a click because of the security fixes
   * patch to support cross building, closes: #283730
 c1bdc2505397e079b9bf8d15ccb33792 554 base required gzip_1.3.5-10.dsc
 905cd5c24a4376bd9a97190a388775e9 56311 base required gzip_1.3.5-10.diff.gz
 bdd5d477cb4a7f048052d5c34f31a860 70758 base required gzip_1.3.5-10_i386.deb

Version: GnuPG v1.4.1 (GNU/Linux)


Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Apr 16 16:16:49 2014; Machine Name:

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.