7c747d
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
7c747d
From: Lasse Collin <lasse.collin@tukaani.org>
7c747d
Date: Mon, 4 Apr 2022 23:52:49 -0700
7c747d
Subject: zgrep: avoid exploit via multi-newline file names
7c747d
7c747d
* zgrep.in: The issue with the old code is that with multiple
7c747d
newlines, the N-command will read the second line of input,
7c747d
then the s-commands will be skipped because it's not the end
7c747d
of the file yet, then a new sed cycle starts and the pattern
7c747d
space is printed and emptied. So only the last line or two get
7c747d
escaped. This patch makes sed read all lines into the pattern
7c747d
space and then do the escaping.
7c747d
7c747d
This vulnerability was discovered by:
7c747d
cleemy desu wayo working with Trend Micro Zero Day Initiative
7c747d
---
7c747d
 zgrep.in | 10 +++++++---
7c747d
 1 file changed, 7 insertions(+), 3 deletions(-)
7c747d
7c747d
diff --git a/zgrep.in b/zgrep.in
7c747d
index 345dae3..bdf7da2 100644
7c747d
--- a/zgrep.in
7c747d
+++ b/zgrep.in
7c747d
@@ -222,9 +222,13 @@ do
7c747d
 '* | *'&'* | *'\'* | *'|'*)
7c747d
         i=$(printf '%s\n' "$i" |
7c747d
             sed '
7c747d
-              $!N
7c747d
-              $s/[&\|]/\\&/g
7c747d
-              $s/\n/\\n/g
7c747d
+              :start
7c747d
+              $!{
7c747d
+                N
7c747d
+                b start
7c747d
+              }
7c747d
+              s/[&\|]/\\&/g
7c747d
+              s/\n/\\n/g
7c747d
             ');;
7c747d
       esac
7c747d
       sed_script="s|^|$i:|"
7c747d
-- 
7c747d
cgit v1.1
7c747d