diff mbox series

[dunfell] gzip: fix CVE-2022-1271

Message ID 20220409021723.201373-1-ralph.siemsen@linaro.org
State Accepted, archived
Commit b7f0696bc60409af215549d26621526c1a93a002
Headers show
Series [dunfell] gzip: fix CVE-2022-1271 | expand

Commit Message

Ralph Siemsen April 9, 2022, 2:17 a.m. UTC 
zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.

Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
 .../gzip/gzip-1.10/CVE-2022-1271.patch        | 45 +++++++++++++++++++
 meta/recipes-extended/gzip/gzip_1.10.bb       |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
diff mbox series

Patch

diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
new file mode 100644
index 0000000000..046c95df47
--- /dev/null
+++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
@@ -0,0 +1,45 @@ 
+From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: [PATCH] zgrep: avoid exploit via multi-newline file names
+
+* zgrep.in: The issue with the old code is that with multiple
+newlines, the N-command will read the second line of input,
+then the s-commands will be skipped because it's not the end
+of the file yet, then a new sed cycle starts and the pattern
+space is printed and emptied. So only the last line or two get
+escaped. This patch makes sed read all lines into the pattern
+space and then do the escaping.
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
+CVE: CVE-2022-1271
+
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+---
+ zgrep.in | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index 3efdb52..d391291 100644
+--- a/zgrep.in
++++ b/zgrep.in
+@@ -222,9 +222,13 @@ do
+ '* | *'&'* | *'\'* | *'|'*)
+         i=$(printf '%s\n' "$i" |
+             sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
++              :start
++              $!{
++                N
++                b start
++              }
++              s/[&\|]/\\&/g
++              s/\n/\\n/g
+             ');;
+       esac
+       sed_script="s|^|$i:|"
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb
index 9778e687e1..c558c21f10 100644
--- a/meta/recipes-extended/gzip/gzip_1.10.bb
+++ b/meta/recipes-extended/gzip/gzip_1.10.bb
@@ -4,6 +4,7 @@  LICENSE = "GPLv3+"
 
 SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
            file://run-ptest \
+           file://CVE-2022-1271.patch \
           "
 SRC_URI_append_class-target = " file://wrong-path-fix.patch"