CVE-2022-1271

NameCVE-2022-1271
DescriptionAn arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2976-1, DLA-2977-1, DSA-5122-1, DSA-5123-1
Debian Bugs1009167, 1009168

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gzip (PTS)bullseye (security), bullseye1.10-4+deb11u1fixed
bookworm1.12-1fixed
sid, trixie1.12-1.2fixed
xz-utils (PTS)bullseye (security), bullseye5.2.5-2.1~deb11u1fixed
bookworm5.4.1-0.2fixed
sid, trixie5.6.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gzipsourcestretch1.6-5+deb9u1DLA-2976-1
gzipsourcebuster1.9-3+deb10u1DSA-5122-1
gzipsourcebullseye1.10-4+deb11u1DSA-5122-1
gzipsource(unstable)1.12-11009168
xz-utilssourcestretch5.2.2-1.2+deb9u1DLA-2977-1
xz-utilssourcebuster5.2.4-1+deb10u1DSA-5123-1
xz-utilssourcebullseye5.2.5-2.1~deb11u1DSA-5123-1
xz-utilssource(unstable)5.2.5-2.11009167

Notes

https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=d74a30d45c6834c8e9f87115197370fe86656d81 (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=6543c09c6ecfb1630085d440b76511953bc5a2cb (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=0e2d07fc2c4393cfb9dbab580d0bee4525b9c9b3 (v1.12)
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=5e1fc8b92c1af9382365aef0f9130341ee1d2c76 (v1.12)
Improves further the fix: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=9d3248751178939713a39115cf68ec8a11506cc9 (v1.12)
https://www.openwall.com/lists/oss-security/2022/04/07/8
https://www.zerodayinitiative.com/advisories/ZDI-22-619/

Search for package or bug name: Reporting problems