rpms/gzip
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Auto sync2gitlab import of gzip-1.9-13.el8.src.rpm

Browse Source
This commit is contained in:
James Antill 2022-05-31 14:33:34 -04:00
parent 04423ac0ee
commit 70683c2d74
4 changed files with 178 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
cve-2022-1271-part1.patch Normal file
View File

@ -0,0 +1,43 @@
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: avoid exploit via multi-newline file names
* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.
This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
---
zgrep.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index 345dae3..bdf7da2 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
'* | *'&'* | *'\'* | *'|'*)
i=$(printf '%s\n' "$i" |
sed '
- $!N
- $s/[&\|]/\\&/g
- $s/\n/\\n/g
+ :start
+ $!{
+ N
+ b start
+ }
+ s/[&\|]/\\&/g
+ s/\n/\\n/g
');;
esac
sed_script="s|^|$i:|"
--
cgit v1.1

77
cve-2022-1271-part2.patch Normal file
View File

@ -0,0 +1,77 @@
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@fb.com>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: add NEWS and tests for this exploitable bug
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
* tests/Makefile.am (TESTS): Add it.
* NEWS: Mention the exploit.
The bug appears to have been present since the beginning.
---
tests/Makefile.am | 1 +
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
create mode 100755 tests/zgrep-abuse
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d09672e..5f148d6 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -36,6 +36,7 @@ TESTS = \
z-suffix \
zdiff \
zgrep-f \
+ zgrep-abuse \
zgrep-context \
zgrep-signal \
znew-k
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
new file mode 100755
index 0000000..3e8a8f9
--- /dev/null
+++ b/tests/zgrep-abuse
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Show how zgrep applied to a crafted file name may overwrite
+# a selected file with chosen content. Fixed in gzip-1.12.
+
+# Copyright (C) 2022 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+# limit so don't run it by default.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ..
+
+: > z || framework_failure_
+echo test |gzip > 'z|
+p
+1s|.*|chosen-content|
+1w hacked
+etouch .\x2fhacked2
+d
+#
+#' || framework_failure_
+
+fail=0
+
+zgrep test z* > /dev/null
+
+# Before the fix, each of these would be created.
+test -f hacked && fail=1
+test -f hacked2 && fail=1
+
+Exit $fail
--
cgit v1.1

46
cve-2022-1271-part3.patch Normal file
View File

@ -0,0 +1,46 @@
From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: port to POSIX sed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* zgrep.in (res): When escaping the file name do not rely on GNU
seds extension to POSIX with respect to s/.../\n/. Instead, use
features that should also work with AIX and/or Solaris sed. This is
simpler anyway, and would have prevented the recently-fixed bug.
---
zgrep.in | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index bdf7da2..6a16dd1 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -220,18 +220,11 @@ do
case $i in
(*'
'* | *'&'* | *'\'* | *'|'*)
- i=$(printf '%s\n' "$i" |
- sed '
- :start
- $!{
- N
- b start
- }
- s/[&\|]/\\&/g
- s/\n/\\n/g
- ');;
+ icolon=$(printf '%s\n' "$i:" |
+ sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
+ (*) icolon="$i:";;
esac
- sed_script="s|^|$i:|"
+ sed_script="s|^|$icolon|"
# Fail if grep or sed fails.
r=$(
--
cgit v1.1

13
gzip.spec
View File

@ -1,7 +1,7 @@
Summary: The GNU data compression program
Name: gzip
Version: 1.9
Release: 12%{?dist}
Release: 13%{?dist}
# info pages are under GFDL license
License: GPLv3+ and GFDL
Group: Applications/File
@ -24,6 +24,10 @@ Patch6: ibm4.patch
Patch7: dfltcc-segfault.patch
Patch8: ibm5.patch
Patch9: cve-2022-1271-part1.patch
Patch10: cve-2022-1271-part2.patch
Patch11: cve-2022-1271-part3.patch
# Fixed in upstream code.
# http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
URL: http://www.gzip.org/
@ -58,6 +62,9 @@ very commonly used data compression program.
%patch6 -p1 -b .ibm4
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
cp %{SOURCE1} .
autoreconf
@ -119,6 +126,10 @@ fi
%{profiledir}/*
%changelog
* Tue Apr 19 2022 Jakub Martisko <jamartis@redhat.com> - 1.9-13
- fix an arbitrary-file-write vulnerability in zgrep
Resolves: CVE-2022-1271
* Thu Jan 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.9-12
- Fix a test failure introduced by 1.9-10
Related: 1883204