mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 01:19:52 +00:00
Code Issues Projects Releases Wiki Activity

gzip: fix CVE-2022-1271

Browse Source 
zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.

Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271

(From OE-Core rev: b7f0696bc60409af215549d26621526c1a93a002)

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ralph Siemsen
2022-04-08 22:17:23 -04:00
committed by Richard Purdie
parent 08a3ac8403
commit 170ce893e7
2 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
+45
View File
@@ -0,0 +1,45 @@
From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: [PATCH] zgrep: avoid exploit via multi-newline file names
* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.
This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
zgrep.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index 3efdb52..d391291 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
'* | *'&'* | *'\'* | *'|'*)
i=$(printf '%s\n' "$i" |
sed '
- $!N
- $s/[&\|]/\\&/g
- $s/\n/\\n/g
+ :start
+ $!{
+ N
+ b start
+ }
+ s/[&\|]/\\&/g
+ s/\n/\\n/g
');;
esac
sed_script="s|^|$i:|"
meta/recipes-extended/gzip/gzip_1.10.bb
+1
View File
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+"
SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
file://run-ptest \
file://CVE-2022-1271.patch \
"
SRC_URI_append_class-target = " file://wrong-path-fix.patch"