Debian Bug report logs - #308379
gzip: zgrep improperly sanitizes arguments (CAN-2005-0758)

version graph

Package: gzip; Maintainer for gzip is Bdale Garbee <bdale@gag.com>; Source for gzip is src:gzip.

Reported by: Isaac Clerencia <isaac@debian.org>

Date: Mon, 9 May 2005 20:48:01 UTC

Severity: important

Tags: patch, security

Found in version 1.3.5-9

Fixed in version gzip/1.3.5-10

Done: Bdale Garbee <bdale@gag.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#308379; Package gzip. Full text and rfc822 format available.

Acknowledgement sent to Isaac Clerencia <isaac@debian.org>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Isaac Clerencia <isaac@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gzip: zgrep improperly sanitizes arguments (CAN-2005-0758)
Date: Mon, 09 May 2005 22:32:13 +0200
Package: gzip
Version: 1.3.5-9
Severity: important

Quoted from http://bugs.gentoo.org/show_bug.cgi?id=90626:
> zgrep contains the following gem:
>
> for i do
> [snip]
>      if test $with_filename -eq 1; then
>        sed_script="s|^[^:]*:|${i}:|"
>      else
>        sed_script="s|^|${i}:|"
>      fi
>      $grep $opt "$pat" | sed "$sed_script"
> [snip]
> done
>
> Aside of the correctness issues (try to use zgrep on files with e.g.
> '&' in
> names), it leads to obvious fun when zgrep arguments had been obtained
> by globbing in an untrusted place.  Even with standard sed we have at
> least ;w<filename>; to deal with; for GNU sed there's also ;e; on top
> of that (execute the contents of pattern space).  bzgrep is no better
> -
> it's based on zgrep.
>
> AFAICS, there are two solutions - one is to do what *BSD had done and
> make grep(1) use zlib and libbz; then zgrep et.al. become links to
> grep.  Another is to quote \, |, ; and newlines, which means extra
> invocation of sed(1)...

A patch is available in the same thread

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)

Versions of packages gzip depends on:
ii  debianutils                 2.13.2       Miscellaneous utilities specific t
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- no debconf information



Tags added: security Request was from Isaac Clerencia <isaac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from bdale@gag.com (Bdale Garbee) to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Bdale Garbee <bdale@gag.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Isaac Clerencia <isaac@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #18 received at 308379-close@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: 308379-close@bugs.debian.org
Subject: Bug#308379: fixed in gzip 1.3.5-10
Date: Sat, 21 May 2005 01:17:04 -0400
Source: gzip
Source-Version: 1.3.5-10

We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive:

gzip_1.3.5-10.diff.gz
  to pool/main/g/gzip/gzip_1.3.5-10.diff.gz
gzip_1.3.5-10.dsc
  to pool/main/g/gzip/gzip_1.3.5-10.dsc
gzip_1.3.5-10_i386.deb
  to pool/main/g/gzip/gzip_1.3.5-10_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 308379@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 20 May 2005 22:34:49 -0600
Source: gzip
Binary: gzip
Architecture: source i386
Version: 1.3.5-10
Distribution: unstable
Urgency: medium
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 gzip       - The GNU compression utility
Closes: 263792 283730 303927 305255 308379
Changes: 
 gzip (1.3.5-10) unstable; urgency=medium
 .
   * remove PAGER reference from zmore.1, closes: #263792
   * patch to improve zgrep argument sanitizing (CAN-2005-0758),
     closes: #308379
   * patch isolated by Petter Reinholdtsen for CAN-2005-0988, closes: #303927
   * patch for dir traversal bug (CAN-2005-1228), closes: #305255
   * up the priority a click because of the security fixes
   * patch to support cross building, closes: #283730
Files: 
 c1bdc2505397e079b9bf8d15ccb33792 554 base required gzip_1.3.5-10.dsc
 905cd5c24a4376bd9a97190a388775e9 56311 base required gzip_1.3.5-10.diff.gz
 bdd5d477cb4a7f048052d5c34f31a860 70758 base required gzip_1.3.5-10_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCjsDGZKfAp/LPAagRAlEWAJ9IjeZd/oEuEXvHZazPU1Vw1nACeQCfWoHp
HqzLLhmiCvDXudnH1hJ5xV8=
=UTE5
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 08:46:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.