Your message dated Fri, 22 Apr 2022 06:02:33 +0000 with message-id <e1nhmnf-0002xe...@fasolo.debian.org> and subject line Bug#1009167: fixed in xz-utils 5.2.4-1+deb10u1 has caused the Debian Bug report #1009167, regarding xz-utils: CVE-2022-1271: xzgrep: arbitrary-file-write vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009167 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xz-utils Version: 5.2.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability Control: reassign -2 src:gzip 1.10-4 Control: found -2 1.9-3 Hi, The following vulnerability was published for xz-utils and gzip, both have to date assigned the same CVE, and cloning this bug as well for one for gzip. CVE-2022-1271[0]: | zgrep, xzgrep: arbitrary-file-write vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 [1] https://www.openwall.com/lists/oss-security/2022/04/07/8 [2] https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 [3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xz-utils Source-Version: 5.2.4-1+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of xz-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated xz-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Apr 2022 16:51:17 +0200 Source: xz-utils Architecture: source Version: 5.2.4-1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Jonathan Nieder <jrnie...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1009167 Changes: xz-utils (5.2.4-1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587) (CVE-2022-1271) (Closes: #1009167) Checksums-Sha1: 19e3aa08702827ad0cc2b3c9829661dd37be952d 2429 xz-utils_5.2.4-1+deb10u1.dsc 1d3a6910c28d40df0134f4a49e5570e8249120c5 1053868 xz-utils_5.2.4.orig.tar.xz 81f46b9cb92e2979fd7335e8ef6a5a01210f82f2 136768 xz-utils_5.2.4-1+deb10u1.debian.tar.xz 39efc04f540b17d41b567060103461178eafeb1b 7025 xz-utils_5.2.4-1+deb10u1_source.buildinfo Checksums-Sha256: 6da82f913d22a8385837b3bb4fb9a89a34a07dea21ea6e73d22b9e225a5c895f 2429 xz-utils_5.2.4-1+deb10u1.dsc 9717ae363760dedf573dad241420c5fea86256b65bc21d2cf71b2b12f0544f4b 1053868 xz-utils_5.2.4.orig.tar.xz fcf83de6468a928427734bca3a39d3813b6f0b6b5beeffaede35bba7f18e3746 136768 xz-utils_5.2.4-1+deb10u1.debian.tar.xz 95be31a5845ca12e0ff30b5b698f7863b3d17b093314701146eb8ecb3b3bb02a 7025 xz-utils_5.2.4-1+deb10u1_source.buildinfo Files: 5419d0cd232cf7f772f0915c56695aeb 2429 utils optional xz-utils_5.2.4-1+deb10u1.dsc 003e4d0b1b1899fc6e3000b24feddf7c 1053868 utils optional xz-utils_5.2.4.orig.tar.xz 651dfa15e015bd3f8d135551010cc394 136768 utils optional xz-utils_5.2.4-1+deb10u1.debian.tar.xz 453579e38bade63162dc0dda87ff615c 7025 utils optional xz-utils_5.2.4-1+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJUQK5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EPSAP/jzpKk0sdO8RvIqY07jhptynhpNKAbmK MnxY/71vKuvGn6YOpMdmvTTKVLz4KjiXLRyOjDGdGfxFwfxuQrhhmsb2y94GYiL2 l0Vw1EMxj0VtevpqUCG1/McNkPZTlpPDDMuXPEcQsdWYdUxxMhjEBTkPIB36xpeW gXjWejIGScZ7j2G8SvwmwkVmd7xUfh6hHv4OxFKymrmi88ZJONhAmwcCJfVczSLR 8fJnN/P5tqem7fANUn0kGe4gNsDZ9WXH5sXjBwssXpkU8ao6OGjfrRHFV2Fvw8kb Ru4vOAhoymfOkI9QrfwRrZS97MHUahZLlBu/VJeGb4+aC4fBhr+6D5U1dO4a+BGW iBfHvjhgqjzuyYfgOVU6Kr5Oi6kIfVMZ8RgMtxKoB/Ob4/G3DM1jB/EXxGguqTm1 PjYiwoOzZDUI6+weZy7FY7TJsfPCdQGoQECqicisRApSFvrd9C559Z4KrNFoE/da tdQSk7RufM4GaxxWeflWNEZ2QeQ/SyVGUHr3ybe3lNM2OTagopLObFFUPUxUJbZL JcwH2cd+ZLqzkFpiX5RkiMSX6CjtzLQvM1Lvx8z/rbTP2ibFg5FpgdVmyhNECga3 Nm6hQxtfy+5qbDQYgdGyysQ2VcInYvT1y8to/zDbm+Tbjn8VPPPrUMzUBm2vK8cs YgHU0Kpc1bFf =WfBQ -----END PGP SIGNATURE-----
--- End Message ---
