| Name | CVE-2022-1271 |
| Description | An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2976-1, DLA-2977-1, DSA-5122-1, DSA-5123-1, ELA-593-1, ELA-594-1 |
| Debian Bugs | 1009167, 1009168 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| gzip (PTS) | jessie, jessie (lts) | 1.6-4+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 1.6-5+deb9u1 | fixed | |
| buster, buster (security) | 1.9-3+deb10u1 | fixed | |
| bullseye (security), bullseye | 1.10-4+deb11u1 | fixed | |
| bookworm | 1.12-1 | fixed | |
| sid, trixie | 1.12-1.1 | fixed | |
| xz-utils (PTS) | jessie, jessie (lts) | 5.1.1alpha+20120614-2+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 5.2.2-1.2+deb9u1 | fixed | |
| buster, buster (security) | 5.2.4-1+deb10u1 | fixed | |
| bullseye (security), bullseye | 5.2.5-2.1~deb11u1 | fixed | |
| bookworm | 5.4.1-0.2 | fixed | |
| sid, trixie | 5.6.1+really5.4.5-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| gzip | source | jessie | 1.6-4+deb8u1 | ELA-593-1 | ||
| gzip | source | stretch | 1.6-5+deb9u1 | DLA-2976-1 | ||
| gzip | source | buster | 1.9-3+deb10u1 | DSA-5122-1 | ||
| gzip | source | bullseye | 1.10-4+deb11u1 | DSA-5122-1 | ||
| gzip | source | (unstable) | 1.12-1 | 1009168 | ||
| xz-utils | source | jessie | 5.1.1alpha+20120614-2+deb8u1 | ELA-594-1 | ||
| xz-utils | source | stretch | 5.2.2-1.2+deb9u1 | DLA-2977-1 | ||
| xz-utils | source | buster | 5.2.4-1+deb10u1 | DSA-5123-1 | ||
| xz-utils | source | bullseye | 5.2.5-2.1~deb11u1 | DSA-5123-1 | ||
| xz-utils | source | (unstable) | 5.2.5-2.1 | 1009167 |
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=d74a30d45c6834c8e9f87115197370fe86656d81 (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=6543c09c6ecfb1630085d440b76511953bc5a2cb (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=0e2d07fc2c4393cfb9dbab580d0bee4525b9c9b3 (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=5e1fc8b92c1af9382365aef0f9130341ee1d2c76 (v1.12)
Improves further the fix: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=9d3248751178939713a39115cf68ec8a11506cc9 (v1.12)
https://www.openwall.com/lists/oss-security/2022/04/07/8
https://www.zerodayinitiative.com/advisories/ZDI-22-619/