Compare commits
No commits in common. "c8" and "imports/c8s/gzip-1.9-11.el8" have entirely different histories.
c8
...
imports/c8
@ -1,43 +0,0 @@
|
|||||||
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Lasse Collin <lasse.collin@tukaani.org>
|
|
||||||
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
||||||
Subject: zgrep: avoid exploit via multi-newline file names
|
|
||||||
|
|
||||||
* zgrep.in: The issue with the old code is that with multiple
|
|
||||||
newlines, the N-command will read the second line of input,
|
|
||||||
then the s-commands will be skipped because it's not the end
|
|
||||||
of the file yet, then a new sed cycle starts and the pattern
|
|
||||||
space is printed and emptied. So only the last line or two get
|
|
||||||
escaped. This patch makes sed read all lines into the pattern
|
|
||||||
space and then do the escaping.
|
|
||||||
|
|
||||||
This vulnerability was discovered by:
|
|
||||||
cleemy desu wayo working with Trend Micro Zero Day Initiative
|
|
||||||
---
|
|
||||||
zgrep.in | 10 +++++++---
|
|
||||||
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/zgrep.in b/zgrep.in
|
|
||||||
index 345dae3..bdf7da2 100644
|
|
||||||
--- a/zgrep.in
|
|
||||||
+++ b/zgrep.in
|
|
||||||
@@ -222,9 +222,13 @@ do
|
|
||||||
'* | *'&'* | *'\'* | *'|'*)
|
|
||||||
i=$(printf '%s\n' "$i" |
|
|
||||||
sed '
|
|
||||||
- $!N
|
|
||||||
- $s/[&\|]/\\&/g
|
|
||||||
- $s/\n/\\n/g
|
|
||||||
+ :start
|
|
||||||
+ $!{
|
|
||||||
+ N
|
|
||||||
+ b start
|
|
||||||
+ }
|
|
||||||
+ s/[&\|]/\\&/g
|
|
||||||
+ s/\n/\\n/g
|
|
||||||
');;
|
|
||||||
esac
|
|
||||||
sed_script="s|^|$i:|"
|
|
||||||
--
|
|
||||||
cgit v1.1
|
|
||||||
|
|
@ -1,77 +0,0 @@
|
|||||||
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jim Meyering <meyering@fb.com>
|
|
||||||
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
||||||
Subject: zgrep: add NEWS and tests for this exploitable bug
|
|
||||||
|
|
||||||
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
|
|
||||||
* tests/Makefile.am (TESTS): Add it.
|
|
||||||
* NEWS: Mention the exploit.
|
|
||||||
The bug appears to have been present since the beginning.
|
|
||||||
---
|
|
||||||
tests/Makefile.am | 1 +
|
|
||||||
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
3 files changed, 45 insertions(+)
|
|
||||||
create mode 100755 tests/zgrep-abuse
|
|
||||||
|
|
||||||
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
||||||
index d09672e..5f148d6 100644
|
|
||||||
--- a/tests/Makefile.am
|
|
||||||
+++ b/tests/Makefile.am
|
|
||||||
@@ -36,6 +36,7 @@ TESTS = \
|
|
||||||
z-suffix \
|
|
||||||
zdiff \
|
|
||||||
zgrep-f \
|
|
||||||
+ zgrep-abuse \
|
|
||||||
zgrep-context \
|
|
||||||
zgrep-signal \
|
|
||||||
znew-k
|
|
||||||
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
|
|
||||||
new file mode 100755
|
|
||||||
index 0000000..3e8a8f9
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/zgrep-abuse
|
|
||||||
@@ -0,0 +1,41 @@
|
|
||||||
+#!/bin/sh
|
|
||||||
+# Show how zgrep applied to a crafted file name may overwrite
|
|
||||||
+# a selected file with chosen content. Fixed in gzip-1.12.
|
|
||||||
+
|
|
||||||
+# Copyright (C) 2022 Free Software Foundation, Inc.
|
|
||||||
+
|
|
||||||
+# This program is free software: you can redistribute it and/or modify
|
|
||||||
+# it under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
+# (at your option) any later version.
|
|
||||||
+
|
|
||||||
+# This program is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
||||||
+# limit so don't run it by default.
|
|
||||||
+
|
|
||||||
+. "${srcdir=.}/init.sh"; path_prepend_ ..
|
|
||||||
+
|
|
||||||
+: > z || framework_failure_
|
|
||||||
+echo test |gzip > 'z|
|
|
||||||
+p
|
|
||||||
+1s|.*|chosen-content|
|
|
||||||
+1w hacked
|
|
||||||
+etouch .\x2fhacked2
|
|
||||||
+d
|
|
||||||
+#
|
|
||||||
+#' || framework_failure_
|
|
||||||
+
|
|
||||||
+fail=0
|
|
||||||
+
|
|
||||||
+zgrep test z* > /dev/null
|
|
||||||
+
|
|
||||||
+# Before the fix, each of these would be created.
|
|
||||||
+test -f hacked && fail=1
|
|
||||||
+test -f hacked2 && fail=1
|
|
||||||
+
|
|
||||||
+Exit $fail
|
|
||||||
--
|
|
||||||
cgit v1.1
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Paul Eggert <eggert@cs.ucla.edu>
|
|
||||||
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
||||||
Subject: zgrep: port to POSIX sed
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
* zgrep.in (res): When escaping the file name do not rely on GNU
|
|
||||||
sed’s extension to POSIX with respect to s/.../\n/. Instead, use
|
|
||||||
features that should also work with AIX and/or Solaris sed. This is
|
|
||||||
simpler anyway, and would have prevented the recently-fixed bug.
|
|
||||||
---
|
|
||||||
zgrep.in | 15 ++++-----------
|
|
||||||
1 file changed, 4 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/zgrep.in b/zgrep.in
|
|
||||||
index bdf7da2..6a16dd1 100644
|
|
||||||
--- a/zgrep.in
|
|
||||||
+++ b/zgrep.in
|
|
||||||
@@ -220,18 +220,11 @@ do
|
|
||||||
case $i in
|
|
||||||
(*'
|
|
||||||
'* | *'&'* | *'\'* | *'|'*)
|
|
||||||
- i=$(printf '%s\n' "$i" |
|
|
||||||
- sed '
|
|
||||||
- :start
|
|
||||||
- $!{
|
|
||||||
- N
|
|
||||||
- b start
|
|
||||||
- }
|
|
||||||
- s/[&\|]/\\&/g
|
|
||||||
- s/\n/\\n/g
|
|
||||||
- ');;
|
|
||||||
+ icolon=$(printf '%s\n' "$i:" |
|
|
||||||
+ sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
|
|
||||||
+ (*) icolon="$i:";;
|
|
||||||
esac
|
|
||||||
- sed_script="s|^|$i:|"
|
|
||||||
+ sed_script="s|^|$icolon|"
|
|
||||||
|
|
||||||
# Fail if grep or sed fails.
|
|
||||||
r=$(
|
|
||||||
--
|
|
||||||
cgit v1.1
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff --git a/tests/hufts b/tests/hufts
|
|
||||||
index 5d8fb77..1b8ab3b 100755
|
|
||||||
--- a/tests/hufts
|
|
||||||
+++ b/tests/hufts
|
|
||||||
@@ -28,6 +28,7 @@ returns_ 1 gzip -dc "$abs_srcdir/hufts-segv.gz" > out 2> err || fail=1
|
|
||||||
compare /dev/null out || fail=1
|
|
||||||
|
|
||||||
sed 's/.*hufts-segv.gz: /...: /' err > k; mv k err || fail=1
|
|
||||||
+grep -v 'Operation-Ending-Supplemental Code' err > k; mv k err || fail=1
|
|
||||||
compare exp err || fail=1
|
|
||||||
|
|
||||||
Exit $fail
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: The GNU data compression program
|
Summary: The GNU data compression program
|
||||||
Name: gzip
|
Name: gzip
|
||||||
Version: 1.9
|
Version: 1.9
|
||||||
Release: 13%{?dist}
|
Release: 11%{?dist}
|
||||||
# info pages are under GFDL license
|
# info pages are under GFDL license
|
||||||
License: GPLv3+ and GFDL
|
License: GPLv3+ and GFDL
|
||||||
Group: Applications/File
|
Group: Applications/File
|
||||||
@ -22,11 +22,6 @@ Patch4: ibm2.patch
|
|||||||
# https://lists.gnu.org/archive/html/bug-gzip/2019-07/msg00000.html
|
# https://lists.gnu.org/archive/html/bug-gzip/2019-07/msg00000.html
|
||||||
Patch6: ibm4.patch
|
Patch6: ibm4.patch
|
||||||
Patch7: dfltcc-segfault.patch
|
Patch7: dfltcc-segfault.patch
|
||||||
Patch8: ibm5.patch
|
|
||||||
|
|
||||||
Patch9: cve-2022-1271-part1.patch
|
|
||||||
Patch10: cve-2022-1271-part2.patch
|
|
||||||
Patch11: cve-2022-1271-part3.patch
|
|
||||||
|
|
||||||
# Fixed in upstream code.
|
# Fixed in upstream code.
|
||||||
# http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
|
# http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
|
||||||
@ -61,10 +56,6 @@ very commonly used data compression program.
|
|||||||
#%patch5 -p1 -b .ibm3
|
#%patch5 -p1 -b .ibm3
|
||||||
%patch6 -p1 -b .ibm4
|
%patch6 -p1 -b .ibm4
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
|
||||||
%patch9 -p1
|
|
||||||
%patch10 -p1
|
|
||||||
%patch11 -p1
|
|
||||||
cp %{SOURCE1} .
|
cp %{SOURCE1} .
|
||||||
autoreconf
|
autoreconf
|
||||||
|
|
||||||
@ -126,14 +117,6 @@ fi
|
|||||||
%{profiledir}/*
|
%{profiledir}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Apr 19 2022 Jakub Martisko <jamartis@redhat.com> - 1.9-13
|
|
||||||
- fix an arbitrary-file-write vulnerability in zgrep
|
|
||||||
Resolves: CVE-2022-1271
|
|
||||||
|
|
||||||
* Thu Jan 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.9-12
|
|
||||||
- Fix a test failure introduced by 1.9-10
|
|
||||||
Related: 1883204
|
|
||||||
|
|
||||||
* Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-11
|
* Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-11
|
||||||
- Enable HW optimizations for modes 1-6 on s390x
|
- Enable HW optimizations for modes 1-6 on s390x
|
||||||
Resolves: 1847436
|
Resolves: 1847436
|
||||||
|
Loading…
Reference in New Issue
Block a user