Bzip2 (bzgrep)

Ken Moffat ken at kenmoffat.uklinux.net
Tue Aug 9 14:06:02 PDT 2005


 The vulnerability in zgrep (CAN-2005-0758) applies also to bzgrep.
Attached patch is from fedora3, modified to use bash as the shell (as
ubuntu do - I suspect there is a typo in their patch).  Rated as low
risk, a gullible user has to use bzgrep in an untrusted directory with
specially-crafted filenames, and any arbitrary code will run with the
user's own permissions.

Ken
-- 
 das eine Mal als Tragödie, das andere Mal als Farce
-------------- next part --------------
Submitted By: Ken Moffat <ken at kenmoffat.uklinux.net>
Date: 2005-08-09
Initial Package Version: 1.0.3
Upstream Status: Unknown.
Origin: Jyri Ryska (RedHat) for fedora3
Description: Fixes filename sanitisation in bzgrep.
 This fixes CAN-2005-0758 (if a user can be tricked into running
bzgrep in an untrusted directory containing files with carefully
crafted filenames, arbitrary commands could be executed as the user
running bzgrep).  Risk is reported as low.  I've modified it to force
the interpreter to be bash, some of the other shells in use won't
like the bash syntax.

diff -Naur bzip2-1.0.3/bzgrep bzip2-1.0.3-new/bzgrep
--- bzip2-1.0.3/bzgrep	2004-10-09 12:29:32.000000000 +0100
+++ bzip2-1.0.3-new/bzgrep	2005-08-09 21:36:37.000000000 +0100
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Bzgrep wrapped for bzip2, 
 # adapted from zgrep by Philippe Troin <phil at fifi.org> for Debian GNU/Linux.
@@ -63,7 +63,11 @@
     bzip2 -cdfq "$i" | $grep $opt "$pat"
     r=$?
   else
-    bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${i}:|"
+    j=${i//\\/\\\\}
+    j=${j//|/\\|}
+    j=${j//&/\\&}
+    j=`printf "%s" "$j" | tr '\n' ' '`
+    bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${j}:|"
     r=$?
   fi
   test "$r" -ne 0 && res="$r"


More information about the lfs-security mailing list