zgrep: avoid exploit via multi-newline file names

* zgrep.in: The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped. This patch makes sed read all lines into the pattern space and then do the escaping. This vulnerability was discovered by: cleemy desu wayo working with Trend Micro Zero Day Initiative
author: Lasse Collin <lasse.collin@tukaani.org> 2022-04-04 23:52:49 -0700
committer: Jim Meyering <meyering@fb.com> 2022-04-06 19:04:12 -0700
commit: dc9740df61e575e8c3148b7bd3c147a81ea00c7c (patch)
tree: 15717d875d0b30b64d757f61b32a968d25eff96f /zgrep.in
parent: 4c599fa2d6a5429c92599a51dc2f00bbd00dcb83 (diff)
download: gzip-dc9740df61e575e8c3148b7bd3c147a81ea00c7c.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/zgrep.in b/zgrep.in
index 345dae3..bdf7da2 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
 '* | *'&'* | *'\'* | *'|'*)
         i=$(printf '%s\n' "$i" |
             sed '
-              $!N
-              $s/[&\|]/\\&/g
-              $s/\n/\\n/g
+              :start
+              $!{
+                N
+                b start
+              }
+              s/[&\|]/\\&/g
+              s/\n/\\n/g
             ');;
       esac
       sed_script="s|^|$i:|"
author	Lasse Collin <lasse.collin@tukaani.org>	2022-04-04 23:52:49 -0700
committer	Jim Meyering <meyering@fb.com>	2022-04-06 19:04:12 -0700
commit	dc9740df61e575e8c3148b7bd3c147a81ea00c7c (patch)
tree	15717d875d0b30b64d757f61b32a968d25eff96f /zgrep.in
parent	4c599fa2d6a5429c92599a51dc2f00bbd00dcb83 (diff)
download	gzip-dc9740df61e575e8c3148b7bd3c147a81ea00c7c.tar.gz