Wednesday, April 13, 2022

Security: CVE-2022-1271: That xzgrep etc. vulnerability

A week ago, this vulnerability in the GNU zgrep script and its
xzgrep offspring was announced:
https://www.openwall.com/lists/oss-security/2022/04/07/8

A number of compression tools ship with some *grep script, so here's
the rundown:

* GNU gzip (zgrep) -- n/a
We have our own gzip in base, our zgrep(1) is not a script.

* archivers/xz (xzgrep) -- AFFECTED
Upstream fix committed.

* archivers/bzip2 (bzgrep) -- not affected
Filenames are run through tr '\n' ' '.

* archivers/zstd (zstdgrep) -- not affected
Filenames are set unportably with grep's --label option.

* archivers/unzip (zipgrep) -- AFFECTED
archive member names are extracted with unzip -Z1, which renders
\n as ^J. However, the result is processed by shell command
substitution, so it undergoes field splitting and pathname
expansion. If a file with an exploitable name is present in the
current working directory, a archive member with a shell wildcard
in its name may inadvertently feed it to sed. Yes, it's convoluted.
The xzgrep fix can be applied.

That's all I can find.

--
Christian "naddy" Weisgerber naddy@mips.inka.de

No comments:

Post a Comment