Compare commits

..

No commits in common. "imports/c8s/gzip-1.9-11.el8" and "c8" have entirely different histories.

5 changed files with 196 additions and 1 deletions

View File

@ -0,0 +1,43 @@
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: avoid exploit via multi-newline file names
* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.
This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
---
zgrep.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index 345dae3..bdf7da2 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
'* | *'&'* | *'\'* | *'|'*)
i=$(printf '%s\n' "$i" |
sed '
- $!N
- $s/[&\|]/\\&/g
- $s/\n/\\n/g
+ :start
+ $!{
+ N
+ b start
+ }
+ s/[&\|]/\\&/g
+ s/\n/\\n/g
');;
esac
sed_script="s|^|$i:|"
--
cgit v1.1

View File

@ -0,0 +1,77 @@
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@fb.com>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: add NEWS and tests for this exploitable bug
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
* tests/Makefile.am (TESTS): Add it.
* NEWS: Mention the exploit.
The bug appears to have been present since the beginning.
---
tests/Makefile.am | 1 +
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
3 files changed, 45 insertions(+)
create mode 100755 tests/zgrep-abuse
diff --git a/tests/Makefile.am b/tests/Makefile.am
index d09672e..5f148d6 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -36,6 +36,7 @@ TESTS = \
z-suffix \
zdiff \
zgrep-f \
+ zgrep-abuse \
zgrep-context \
zgrep-signal \
znew-k
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
new file mode 100755
index 0000000..3e8a8f9
--- /dev/null
+++ b/tests/zgrep-abuse
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Show how zgrep applied to a crafted file name may overwrite
+# a selected file with chosen content. Fixed in gzip-1.12.
+
+# Copyright (C) 2022 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+# limit so don't run it by default.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ..
+
+: > z || framework_failure_
+echo test |gzip > 'z|
+p
+1s|.*|chosen-content|
+1w hacked
+etouch .\x2fhacked2
+d
+#
+#' || framework_failure_
+
+fail=0
+
+zgrep test z* > /dev/null
+
+# Before the fix, each of these would be created.
+test -f hacked && fail=1
+test -f hacked2 && fail=1
+
+Exit $fail
--
cgit v1.1

View File

@ -0,0 +1,46 @@
From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: port to POSIX sed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* zgrep.in (res): When escaping the file name do not rely on GNU
seds extension to POSIX with respect to s/.../\n/. Instead, use
features that should also work with AIX and/or Solaris sed. This is
simpler anyway, and would have prevented the recently-fixed bug.
---
zgrep.in | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index bdf7da2..6a16dd1 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -220,18 +220,11 @@ do
case $i in
(*'
'* | *'&'* | *'\'* | *'|'*)
- i=$(printf '%s\n' "$i" |
- sed '
- :start
- $!{
- N
- b start
- }
- s/[&\|]/\\&/g
- s/\n/\\n/g
- ');;
+ icolon=$(printf '%s\n' "$i:" |
+ sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
+ (*) icolon="$i:";;
esac
- sed_script="s|^|$i:|"
+ sed_script="s|^|$icolon|"
# Fail if grep or sed fails.
r=$(
--
cgit v1.1

12
SOURCES/ibm5.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/tests/hufts b/tests/hufts
index 5d8fb77..1b8ab3b 100755
--- a/tests/hufts
+++ b/tests/hufts
@@ -28,6 +28,7 @@ returns_ 1 gzip -dc "$abs_srcdir/hufts-segv.gz" > out 2> err || fail=1
compare /dev/null out || fail=1
sed 's/.*hufts-segv.gz: /...: /' err > k; mv k err || fail=1
+grep -v 'Operation-Ending-Supplemental Code' err > k; mv k err || fail=1
compare exp err || fail=1
Exit $fail

View File

@ -1,7 +1,7 @@
Summary: The GNU data compression program Summary: The GNU data compression program
Name: gzip Name: gzip
Version: 1.9 Version: 1.9
Release: 11%{?dist} Release: 13%{?dist}
# info pages are under GFDL license # info pages are under GFDL license
License: GPLv3+ and GFDL License: GPLv3+ and GFDL
Group: Applications/File Group: Applications/File
@ -22,6 +22,11 @@ Patch4: ibm2.patch
# https://lists.gnu.org/archive/html/bug-gzip/2019-07/msg00000.html # https://lists.gnu.org/archive/html/bug-gzip/2019-07/msg00000.html
Patch6: ibm4.patch Patch6: ibm4.patch
Patch7: dfltcc-segfault.patch Patch7: dfltcc-segfault.patch
Patch8: ibm5.patch
Patch9: cve-2022-1271-part1.patch
Patch10: cve-2022-1271-part2.patch
Patch11: cve-2022-1271-part3.patch
# Fixed in upstream code. # Fixed in upstream code.
# http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378 # http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
@ -56,6 +61,10 @@ very commonly used data compression program.
#%patch5 -p1 -b .ibm3 #%patch5 -p1 -b .ibm3
%patch6 -p1 -b .ibm4 %patch6 -p1 -b .ibm4
%patch7 -p1 %patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
cp %{SOURCE1} . cp %{SOURCE1} .
autoreconf autoreconf
@ -117,6 +126,14 @@ fi
%{profiledir}/* %{profiledir}/*
%changelog %changelog
* Tue Apr 19 2022 Jakub Martisko <jamartis@redhat.com> - 1.9-13
- fix an arbitrary-file-write vulnerability in zgrep
Resolves: CVE-2022-1271
* Thu Jan 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.9-12
- Fix a test failure introduced by 1.9-10
Related: 1883204
* Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-11 * Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-11
- Enable HW optimizations for modes 1-6 on s390x - Enable HW optimizations for modes 1-6 on s390x
Resolves: 1847436 Resolves: 1847436