A week ago, this vulnerability in the GNU zgrep script and its xzgrep offspring was announced: https://www.openwall.com/lists/oss-security/2022/04/07/8
A number of compression tools ship with some *grep script, so here's the rundown: * GNU gzip (zgrep) -- n/a We have our own gzip in base, our zgrep(1) is not a script. * archivers/xz (xzgrep) -- AFFECTED Upstream fix committed. * archivers/bzip2 (bzgrep) -- not affected Filenames are run through tr '\n' ' '. * archivers/zstd (zstdgrep) -- not affected Filenames are set unportably with grep's --label option. * archivers/unzip (zipgrep) -- AFFECTED archive member names are extracted with unzip -Z1, which renders \n as ^J. However, the result is processed by shell command substitution, so it undergoes field splitting and pathname expansion. If a file with an exploitable name is present in the current working directory, a archive member with a shell wildcard in its name may inadvertently feed it to sed. Yes, it's convoluted. The xzgrep fix can be applied. That's all I can find. -- Christian "naddy" Weisgerber na...@mips.inka.de
