Received: (at submit) by bugs.debian.org; 7 Aug 1999 21:22:45 +0000 Received: (qmail 23638 invoked from network); 7 Aug 1999 21:22:43 -0000 Received: from chardonnay.math.bme.hu (qmailr@152.66.83.144) by master.debian.org with SMTP; 7 Aug 1999 21:22:43 -0000 Received: (qmail 9866 invoked from network); 7 Aug 1999 21:22:36 -0000 Received: from line56.dial.bme.hu (qmailr@152.66.142.56) by chardonnay.math.bme.hu with SMTP; 7 Aug 1999 21:22:36 -0000 Received: (qmail 6560 invoked by uid 1000); 7 Aug 1999 21:17:49 -0000 Date: 7 Aug 1999 21:17:49 -0000 Message-ID: <19990807211749.6558.qmail@utopia> From: korn@eik.bme.hu Subject: grep: Potential security risk: control characters in filenames are printed without filtering. To: submit@bugs.debian.org X-Mailer: bug 3.2.2 Package: grep Version: 2.3-4 Severity: normal Hi, if you create a file named ^G (ctrl-g) and do something like grep foo * in the directory where the file resides, you will hear a beep when grep prints the line ^G:foo (naturally only if ^G contained 'foo'). A malicious user could create a file whose name contains more harmful control characters and wait for another user to grep for a string that file contains. I admit this is a long shot, but still: filenames should be filtered and control characters removed before the name of the file is printed. This potentially affects many other packages as well. I have verified that joe is vulnerable and have posted a bug report; I don't have the time to check any other programs. Perhaps this issue should be brought up on bugtraq as well. Best regards, -- Andrew Korn (Korn Andras) http://goliat.eik.bme.hu/~korn Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD: User (n): technical term used by programmers - see idiot. -- System Information Debian Release: potato Kernel Version: Linux utopia 2.2.10-ac12 #59 Fri Jul 23 17:23:40 CEST 1999 i586 unknown Versions of the packages grep depends on: ii libc6 2.1.2-0pre1 GNU C Library: Shared libraries and timezone