37a940
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
37a940
From: Lasse Collin <lasse.collin@tukaani.org>
37a940
Date: Mon, 4 Apr 2022 23:52:49 -0700
37a940
Subject: zgrep: avoid exploit via multi-newline file names
37a940
37a940
* zgrep.in: The issue with the old code is that with multiple
37a940
newlines, the N-command will read the second line of input,
37a940
then the s-commands will be skipped because it's not the end
37a940
of the file yet, then a new sed cycle starts and the pattern
37a940
space is printed and emptied. So only the last line or two get
37a940
escaped. This patch makes sed read all lines into the pattern
37a940
space and then do the escaping.
37a940
37a940
This vulnerability was discovered by:
37a940
cleemy desu wayo working with Trend Micro Zero Day Initiative
37a940
---
37a940
 zgrep.in | 10 +++++++---
37a940
 1 file changed, 7 insertions(+), 3 deletions(-)
37a940
37a940
diff --git a/zgrep.in b/zgrep.in
37a940
index 345dae3..bdf7da2 100644
37a940
--- a/zgrep.in
37a940
+++ b/zgrep.in
37a940
@@ -222,9 +222,13 @@ do
37a940
 '* | *'&'* | *'\'* | *'|'*)
37a940
         i=$(printf '%s\n' "$i" |
37a940
             sed '
37a940
-              $!N
37a940
-              $s/[&\|]/\\&/g
37a940
-              $s/\n/\\n/g
37a940
+              :start
37a940
+              $!{
37a940
+                N
37a940
+                b start
37a940
+              }
37a940
+              s/[&\|]/\\&/g
37a940
+              s/\n/\\n/g
37a940
             ');;
37a940
       esac
37a940
       sed_script="s|^|$i:|"
37a940
-- 
37a940
cgit v1.1
37a940