Context Navigation

← Previous Ticket
Next Ticket →

#5042 closed enhancement (fixed)

gzip-1.12

Reported by:	Bruce Dubbs	Owned by:	Bruce Dubbs
Priority:	high	Milestone:	11.2
Component:	Book	Version:	git
Severity:	normal	Keywords:
Cc:

Description

New point version.

Change History (6)

comment:1 by ken@…, 2 years ago

https://www.openwall.com/lists/oss-security/2022/04/07/8

xzutils also affected, patch mentioned in that post, followup includes an example exploit (did not work for me, but maybe I missed something - I've got more urgent issues, I rarely use zgrep).

CVE-2022-1271 has been assigned to this issue.

comment:2 by Douglas R. Reno, 2 years ago

Priority:	normal → high

comment:3 by Douglas R. Reno, 2 years ago

From Arch:

Arch Linux Security Advisory ASA-202204-7
=========================================

Severity: High
Date    : 2022-04-07
CVE-ID  : CVE-2022-1271
Package : gzip
Type    : arbitrary command execution
Remote  : No
Link    : https://security.archlinux.org/AVG-2666

Summary
=======

The package gzip before version 1.12-1 is vulnerable to arbitrary
command execution.

Resolution
==========

Upgrade to 1.12-1.

# pacman -Syu "gzip>=1.12-1"

The problem has been fixed upstream in version 1.12.

Workaround
==========

None.

Description
===========

Malicious filenames with two or more newlines can make zgrep and xzgrep
to write to arbitrary files or (with a GNU sed extension) lead to
arbitrary code execution. The issue with the old code is that with
multiple newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end of  the
file yet, then a new sed cycle starts and the pattern space is printed
and emptied. So only the last line or two get escaped.

Impact
======

An attacker is able to provide malicious filenames to write to
arbitrary files or execute arbitrary commands on the affected host.

References
==========

https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
https://savannah.gnu.org/forum/forum.php?forum_id=10157
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
https://security.archlinux.org/CVE-2022-1271

A preliminary look tells me that we'll need to patch XZ as well.

comment:4 by Bruce Dubbs, 2 years ago

Owner:	changed from lfs-book to Bruce Dubbs
Status:	new → assigned

comment:5 by Bruce Dubbs, 2 years ago

Resolution:	→ fixed
Status:	assigned → closed

Fixed at commit 62b66860b3f0bd7fd419817518798443bce90a8e

Package updates.
    Update to libcap-2.64.
    Update to linux-5.17.3.
    Update to gzip-1.12.

comment:6 by Douglas R. Reno, 2 years ago

Security Advisory 11.1-028 issued.

Note: See TracTickets for help on using tickets.

Download in other formats: