From: Ralph Siemsen <ralph.siem...@linaro.org> zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] CVE: CVE-2022-1271 Signed-off-by: Ralph Siemsen <ralph.siem...@linaro.org> Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../gzip/gzip-1.10/CVE-2022-1271.patch | 45 +++++++++++++++++++ meta/recipes-extended/gzip/gzip_1.10.bb | 1 + 2 files changed, 46 insertions(+) create mode 100644 meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch new file mode 100644 index 0000000000..046c95df47 --- /dev/null +++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch @@ -0,0 +1,45 @@ +From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.col...@tukaani.org> +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: [PATCH] zgrep: avoid exploit via multi-newline file names + +* zgrep.in: The issue with the old code is that with multiple +newlines, the N-command will read the second line of input, +then the s-commands will be skipped because it's not the end +of the file yet, then a new sed cycle starts and the pattern +space is printed and emptied. So only the last line or two get +escaped. This patch makes sed read all lines into the pattern +space and then do the escaping. + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] +CVE: CVE-2022-1271 + +Signed-off-by: Ralph Siemsen <ralph.siem...@linaro.org> +--- + zgrep.in | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/zgrep.in b/zgrep.in +index 3efdb52..d391291 100644 +--- a/zgrep.in ++++ b/zgrep.in +@@ -222,9 +222,13 @@ do + '* | *'&'* | *'\'* | *'|'*) + i=$(printf '%s\n' "$i" | + sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g ++ :start ++ $!{ ++ N ++ b start ++ } ++ s/[&\|]/\\&/g ++ s/\n/\\n/g + ');; + esac + sed_script="s|^|$i:|" diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb index 9778e687e1..c558c21f10 100644 --- a/meta/recipes-extended/gzip/gzip_1.10.bb +++ b/meta/recipes-extended/gzip/gzip_1.10.bb @@ -4,6 +4,7 @@ LICENSE = "GPLv3+" SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ file://run-ptest \ + file://CVE-2022-1271.patch \ " SRC_URI_append_class-target = " file://wrong-path-fix.patch" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#164548): https://lists.openembedded.org/g/openembedded-core/message/164548 Mute This Topic: https://lists.openembedded.org/mt/90511258/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-