Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped.
Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped.
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c https://savannah.gnu.org/forum/forum.php?forum_id=10157 https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
xzgrep from XZ Utils versions up to and including 5.2.5 are affected. 5.3.1alpha and 5.3.2alpha are affected as well. This bug was inherited into xzgrep from gzip's zgrep. gzip 1.12 includes a fix for zgrep.
Vulmon