Auto sync2gitlab import of gzip-1.9-13.el8.src.rpm

2022-05-31 14:33:34 -04:00 · 2022-05-31 14:33:34 -04:00 · 70683c2d74
commit 70683c2d74
parent 04423ac0ee
4 changed files with 178 additions and 1 deletions
--- a/cve-2022-1271-part1.patch
+++ b/cve-2022-1271-part1.patch
@ -0,0 +1,43 @@
 From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
 From: Lasse Collin <lasse.collin@tukaani.org>
 Date: Mon, 4 Apr 2022 23:52:49 -0700
 Subject: zgrep: avoid exploit via multi-newline file names
 * zgrep.in: The issue with the old code is that with multiple
 newlines, the N-command will read the second line of input,
 then the s-commands will be skipped because it's not the end
 of the file yet, then a new sed cycle starts and the pattern
 space is printed and emptied. So only the last line or two get
 escaped. This patch makes sed read all lines into the pattern
 space and then do the escaping.
 This vulnerability was discovered by:
 cleemy desu wayo working with Trend Micro Zero Day Initiative
 ---
 zgrep.in | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)
 diff --git a/zgrep.in b/zgrep.in
 index 345dae3..bdf7da2 100644
 --- a/zgrep.in
 +++ b/zgrep.in
@@ -222,9 +222,13 @@ do
 '* | *'&'* | *'\'* | *'|'*)
         i=$(printf '%s\n' "$i" |
             sed '
 -              $!N
 -              $s/[&\|]/\\&/g
 -              $s/\n/\\n/g
 +              :start
 +              $!{
 +                N
 +                b start
 +              }
 +              s/[&\|]/\\&/g
 +              s/\n/\\n/g
             ');;
       esac
       sed_script="s|^|$i:|"
 -- 
 cgit v1.1
--- a/cve-2022-1271-part2.patch
+++ b/cve-2022-1271-part2.patch
@ -0,0 +1,77 @@
 From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
 From: Jim Meyering <meyering@fb.com>
 Date: Mon, 4 Apr 2022 23:52:49 -0700
 Subject: zgrep: add NEWS and tests for this exploitable bug
 * tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
 * tests/Makefile.am (TESTS): Add it.
 * NEWS: Mention the exploit.
 The bug appears to have been present since the beginning.
 ---
 tests/Makefile.am |  1 +
 tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+)
 create mode 100755 tests/zgrep-abuse
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index d09672e..5f148d6 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -36,6 +36,7 @@ TESTS =					\
   z-suffix				\
   zdiff					\
   zgrep-f				\
 +  zgrep-abuse				\
   zgrep-context				\
   zgrep-signal				\
   znew-k
 diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
 new file mode 100755
 index 0000000..3e8a8f9
 --- /dev/null
 +++ b/tests/zgrep-abuse
@@ -0,0 +1,41 @@
 +#!/bin/sh
 +# Show how zgrep applied to a crafted file name may overwrite
 +# a selected file with chosen content.  Fixed in gzip-1.12.
 +
 +# Copyright (C) 2022 Free Software Foundation, Inc.
 +
 +# This program is free software: you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
 +# the Free Software Foundation, either version 3 of the License, or
 +# (at your option) any later version.
 +
 +# This program is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +# GNU General Public License for more details.
 +
 +# You should have received a copy of the GNU General Public License
 +# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 +# limit so don't run it by default.
 +
 +. "${srcdir=.}/init.sh"; path_prepend_ ..
 +
 +: > z || framework_failure_
 +echo test |gzip > 'z|
 +p
 +1s|.*|chosen-content|
 +1w hacked
 +etouch .\x2fhacked2
 +d
 +#
 +#' || framework_failure_
 +
 +fail=0
 +
 +zgrep test z* > /dev/null
 +
 +# Before the fix, each of these would be created.
 +test -f hacked && fail=1
 +test -f hacked2 && fail=1
 +
 +Exit $fail
 -- 
 cgit v1.1
--- a/cve-2022-1271-part3.patch
+++ b/cve-2022-1271-part3.patch
@ -0,0 +1,46 @@
 From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
 From: Paul Eggert <eggert@cs.ucla.edu>
 Date: Mon, 4 Apr 2022 23:52:49 -0700
 Subject: zgrep: port to POSIX sed
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 * zgrep.in (res): When escaping the file name do not rely on GNU
 sed’s extension to POSIX with respect to s/.../\n/.  Instead, use
 features that should also work with AIX and/or Solaris sed.  This is
 simpler anyway, and would have prevented the recently-fixed bug.
 ---
 zgrep.in | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)
 diff --git a/zgrep.in b/zgrep.in
 index bdf7da2..6a16dd1 100644
 --- a/zgrep.in
 +++ b/zgrep.in
@@ -220,18 +220,11 @@ do
       case $i in
       (*'
 '* | *'&'* | *'\'* | *'|'*)
 -        i=$(printf '%s\n' "$i" |
 -            sed '
 -              :start
 -              $!{
 -                N
 -                b start
 -              }
 -              s/[&\|]/\\&/g
 -              s/\n/\\n/g
 -            ');;
 +          icolon=$(printf '%s\n' "$i:" |
 +                     sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
 +      (*) icolon="$i:";;
       esac
 -      sed_script="s|^|$i:|"
 +      sed_script="s|^|$icolon|"
       # Fail if grep or sed fails.
       r=$(
 -- 
 cgit v1.1
--- a/gzip.spec
+++ b/gzip.spec
@ -1,7 +1,7 @@
 Summary: The GNU data compression program
 Name: gzip
 Version: 1.9
-Release: 12%{?dist}
+Release: 13%{?dist}
 # info pages are under GFDL license
 License: GPLv3+ and GFDL
 Group: Applications/File
@ -24,6 +24,10 @@ Patch6: ibm4.patch
 Patch7: dfltcc-segfault.patch
 Patch8: ibm5.patch
 Patch9: cve-2022-1271-part1.patch
 Patch10: cve-2022-1271-part2.patch
 Patch11: cve-2022-1271-part3.patch
 # Fixed in upstream code.
 # http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
 URL: http://www.gzip.org/
@ -58,6 +62,9 @@ very commonly used data compression program.
 %patch6 -p1 -b .ibm4
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 cp %{SOURCE1} .
 autoreconf
@ -119,6 +126,10 @@ fi
 %{profiledir}/*
 %changelog
 * Tue Apr 19 2022 Jakub Martisko <jamartis@redhat.com> - 1.9-13
 - fix an arbitrary-file-write vulnerability in zgrep
 Resolves: CVE-2022-1271
 * Thu Jan 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.9-12
 - Fix a test failure introduced by 1.9-10
  Related: 1883204