diff --git a/cve-2022-1271-part1.patch b/cve-2022-1271-part1.patch new file mode 100644 index 0000000..2544012 --- /dev/null +++ b/cve-2022-1271-part1.patch @@ -0,0 +1,43 @@ +From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: zgrep: avoid exploit via multi-newline file names + +* zgrep.in: The issue with the old code is that with multiple +newlines, the N-command will read the second line of input, +then the s-commands will be skipped because it's not the end +of the file yet, then a new sed cycle starts and the pattern +space is printed and emptied. So only the last line or two get +escaped. This patch makes sed read all lines into the pattern +space and then do the escaping. + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative +--- + zgrep.in | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/zgrep.in b/zgrep.in +index 345dae3..bdf7da2 100644 +--- a/zgrep.in ++++ b/zgrep.in +@@ -222,9 +222,13 @@ do + '* | *'&'* | *'\'* | *'|'*) + i=$(printf '%s\n' "$i" | + sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g ++ :start ++ $!{ ++ N ++ b start ++ } ++ s/[&\|]/\\&/g ++ s/\n/\\n/g + ');; + esac + sed_script="s|^|$i:|" +-- +cgit v1.1 + diff --git a/cve-2022-1271-part2.patch b/cve-2022-1271-part2.patch new file mode 100644 index 0000000..fa7dc9b --- /dev/null +++ b/cve-2022-1271-part2.patch @@ -0,0 +1,77 @@ +From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001 +From: Jim Meyering +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: zgrep: add NEWS and tests for this exploitable bug + +* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo. +* tests/Makefile.am (TESTS): Add it. +* NEWS: Mention the exploit. +The bug appears to have been present since the beginning. +--- + tests/Makefile.am | 1 + + tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+) + create mode 100755 tests/zgrep-abuse + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d09672e..5f148d6 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -36,6 +36,7 @@ TESTS = \ + z-suffix \ + zdiff \ + zgrep-f \ ++ zgrep-abuse \ + zgrep-context \ + zgrep-signal \ + znew-k +diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse +new file mode 100755 +index 0000000..3e8a8f9 +--- /dev/null ++++ b/tests/zgrep-abuse +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# Show how zgrep applied to a crafted file name may overwrite ++# a selected file with chosen content. Fixed in gzip-1.12. ++ ++# Copyright (C) 2022 Free Software Foundation, Inc. ++ ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++ ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++ ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++# limit so don't run it by default. ++ ++. "${srcdir=.}/init.sh"; path_prepend_ .. ++ ++: > z || framework_failure_ ++echo test |gzip > 'z| ++p ++1s|.*|chosen-content| ++1w hacked ++etouch .\x2fhacked2 ++d ++# ++#' || framework_failure_ ++ ++fail=0 ++ ++zgrep test z* > /dev/null ++ ++# Before the fix, each of these would be created. ++test -f hacked && fail=1 ++test -f hacked2 && fail=1 ++ ++Exit $fail +-- +cgit v1.1 + diff --git a/cve-2022-1271-part3.patch b/cve-2022-1271-part3.patch new file mode 100644 index 0000000..3509464 --- /dev/null +++ b/cve-2022-1271-part3.patch @@ -0,0 +1,46 @@ +From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: zgrep: port to POSIX sed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +* zgrep.in (res): When escaping the file name do not rely on GNU +sed’s extension to POSIX with respect to s/.../\n/. Instead, use +features that should also work with AIX and/or Solaris sed. This is +simpler anyway, and would have prevented the recently-fixed bug. +--- + zgrep.in | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/zgrep.in b/zgrep.in +index bdf7da2..6a16dd1 100644 +--- a/zgrep.in ++++ b/zgrep.in +@@ -220,18 +220,11 @@ do + case $i in + (*' + '* | *'&'* | *'\'* | *'|'*) +- i=$(printf '%s\n' "$i" | +- sed ' +- :start +- $!{ +- N +- b start +- } +- s/[&\|]/\\&/g +- s/\n/\\n/g +- ');; ++ icolon=$(printf '%s\n' "$i:" | ++ sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');; ++ (*) icolon="$i:";; + esac +- sed_script="s|^|$i:|" ++ sed_script="s|^|$icolon|" + + # Fail if grep or sed fails. + r=$( +-- +cgit v1.1 + diff --git a/gzip.spec b/gzip.spec index d23fb15..ad30c5b 100644 --- a/gzip.spec +++ b/gzip.spec @@ -1,7 +1,7 @@ Summary: The GNU data compression program Name: gzip Version: 1.9 -Release: 12%{?dist} +Release: 13%{?dist} # info pages are under GFDL license License: GPLv3+ and GFDL Group: Applications/File @@ -24,6 +24,10 @@ Patch6: ibm4.patch Patch7: dfltcc-segfault.patch Patch8: ibm5.patch +Patch9: cve-2022-1271-part1.patch +Patch10: cve-2022-1271-part2.patch +Patch11: cve-2022-1271-part3.patch + # Fixed in upstream code. # http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378 URL: http://www.gzip.org/ @@ -58,6 +62,9 @@ very commonly used data compression program. %patch6 -p1 -b .ibm4 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 cp %{SOURCE1} . autoreconf @@ -119,6 +126,10 @@ fi %{profiledir}/* %changelog +* Tue Apr 19 2022 Jakub Martisko - 1.9-13 +- fix an arbitrary-file-write vulnerability in zgrep +Resolves: CVE-2022-1271 + * Thu Jan 07 2021 Jakub Martisko - 1.9-12 - Fix a test failure introduced by 1.9-10 Related: 1883204