Package: gzip Version: 1.3.5-9 Severity: important Quoted from http://bugs.gentoo.org/show_bug.cgi?id=90626: > zgrep contains the following gem: > > for i do > [snip] > if test $with_filename -eq 1; then > sed_script="s|^[^:]*:|${i}:|" > else > sed_script="s|^|${i}:|" > fi > $grep $opt "$pat" | sed "$sed_script" > [snip] > done > > Aside of the correctness issues (try to use zgrep on files with e.g. > '&' in > names), it leads to obvious fun when zgrep arguments had been obtained > by globbing in an untrusted place. Even with standard sed we have at > least ;w<filename>; to deal with; for GNU sed there's also ;e; on top > of that (execute the contents of pattern space). bzgrep is no better > - > it's based on zgrep. > > AFAICS, there are two solutions - one is to do what *BSD had done and > make grep(1) use zlib and libbz; then zgrep et.al. become links to > grep. Another is to quote \, |, ; and newlines, which means extra > invocation of sed(1)...
A patch is available in the same thread -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.11-1-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Versions of packages gzip depends on: ii debianutils 2.13.2 Miscellaneous utilities specific t ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
