9 changed files with 240 additions and 58 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/gzip-1.10.tar.xz
+SOURCES/gzip-1.9.tar.xz
--- a/.gzip.metadata
+++ b/.gzip.metadata
@ -1 +1 @@
-48d28c77cb8cac38573809fdd1665ecf75f91fa9 SOURCES/gzip-1.10.tar.xz
+0249ad4c4ca1f144714e8e21b6d0db24651fc122 SOURCES/gzip-1.9.tar.xz
--- a/SOURCES/cve-2022-1271-part1.patch
+++ b/SOURCES/cve-2022-1271-part1.patch
@ -0,0 +1,43 @@
+From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: zgrep: avoid exploit via multi-newline file names
+
+* zgrep.in: The issue with the old code is that with multiple
+newlines, the N-command will read the second line of input,
+then the s-commands will be skipped because it's not the end
+of the file yet, then a new sed cycle starts and the pattern
+space is printed and emptied. So only the last line or two get
+escaped. This patch makes sed read all lines into the pattern
+space and then do the escaping.
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+---
+ zgrep.in | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index 345dae3..bdf7da2 100644
+--- a/zgrep.in
+++ b/zgrep.in
+@@ -222,9 +222,13 @@ do
+ '* | *'&'* | *'\'* | *'|'*)
+         i=$(printf '%s\n' "$i" |
+             sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
+              :start
+              $!{
+                N
+                b start
+              }
+              s/[&\|]/\\&/g
+              s/\n/\\n/g
+             ');;
+       esac
+       sed_script="s|^|$i:|"
+-- 
+cgit v1.1
+
--- a/SOURCES/cve-2022-1271-part2.patch
+++ b/SOURCES/cve-2022-1271-part2.patch
@ -0,0 +1,77 @@
+From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@fb.com>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: zgrep: add NEWS and tests for this exploitable bug
+
+* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS: Mention the exploit.
+The bug appears to have been present since the beginning.
+---
+ tests/Makefile.am |  1 +
+ tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+)
+ create mode 100755 tests/zgrep-abuse
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index d09672e..5f148d6 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -36,6 +36,7 @@ TESTS =					\
+   z-suffix				\
+   zdiff					\
+   zgrep-f				\
+  zgrep-abuse				\
+   zgrep-context				\
+   zgrep-signal				\
+   znew-k
+diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
+new file mode 100755
+index 0000000..3e8a8f9
+--- /dev/null
+++ b/tests/zgrep-abuse
+@@ -0,0 +1,41 @@
+#!/bin/sh
+# Show how zgrep applied to a crafted file name may overwrite
+# a selected file with chosen content.  Fixed in gzip-1.12.
+
+# Copyright (C) 2022 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+# limit so don't run it by default.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ..
+
+: > z || framework_failure_
+echo test |gzip > 'z|
+p
+1s|.*|chosen-content|
+1w hacked
+etouch .\x2fhacked2
+d
+#
+#' || framework_failure_
+
+fail=0
+
+zgrep test z* > /dev/null
+
+# Before the fix, each of these would be created.
+test -f hacked && fail=1
+test -f hacked2 && fail=1
+
+Exit $fail
+-- 
+cgit v1.1
+
--- a/SOURCES/cve-2022-1271-part3.patch
+++ b/SOURCES/cve-2022-1271-part3.patch
@ -0,0 +1,46 @@
+From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: zgrep: port to POSIX sed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* zgrep.in (res): When escaping the file name do not rely on GNU
+sed’s extension to POSIX with respect to s/.../\n/.  Instead, use
+features that should also work with AIX and/or Solaris sed.  This is
+simpler anyway, and would have prevented the recently-fixed bug.
+---
+ zgrep.in | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index bdf7da2..6a16dd1 100644
+--- a/zgrep.in
+++ b/zgrep.in
+@@ -220,18 +220,11 @@ do
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              :start
+-              $!{
+-                N
+-                b start
+-              }
+-              s/[&\|]/\\&/g
+-              s/\n/\\n/g
+-            ');;
+          icolon=$(printf '%s\n' "$i:" |
+                     sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
+      (*) icolon="$i:";;
+       esac
+-      sed_script="s|^|$i:|"
+      sed_script="s|^|$icolon|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+-- 
+cgit v1.1
+
--- a/SOURCES/ibm.patch
+++ b/SOURCES/ibm.patch
@ -830,7 +830,7 @@ index 1bd4c78..ace7e5e 100644
     header_bytes += 2*4;
 
@@ -126,7 +137,7 @@ int file_read(buf, size)
-         read_error();
+         return EOF;
     }
 
 -    crc = updcrc((uch*)buf, len);
--- a/SOURCES/ibm2.patch
+++ b/SOURCES/ibm2.patch
@ -1015,7 +1015,7 @@ index ace7e5e..0f12d5e 100644
     header_bytes += 2*4;
 
@@ -137,7 +135,7 @@ int file_read(buf, size)
-         read_error();
+         return EOF;
     }
 
 -    updcrc((uch*)buf, len);
--- a/SOURCES/ibm5.patch
+++ b/SOURCES/ibm5.patch
@ -9,4 +9,4 @@ index 5d8fb77..1b8ab3b 100755
 +grep -v 'Operation-Ending-Supplemental Code' err > k; mv k err || fail=1
 compare exp err || fail=1
 
- printf '\037\213\010\000\060\060\060\060\060\060\144\000\000\000' > bug33501 \
+ Exit $fail
--- a/SPECS/gzip.spec
+++ b/SPECS/gzip.spec
@ -1,9 +1,10 @@
 Summary: The GNU data compression program
 Name: gzip
-Version: 1.10
-Release: 8%{?dist}
+Version: 1.9
+Release: 13%{?dist}
 # info pages are under GFDL license
 License: GPLv3+ and GFDL
+Group: Applications/File
 Source0: http://ftp.gnu.org/gnu/gzip/gzip-%{version}.tar.xz
 Source1: https://www.gnu.org/licenses/fdl-1.3.txt

@ -14,10 +15,18 @@ Source101: colorzgrep.sh
 Patch1: gnulib.patch
 Patch2: gzexe.patch
 Patch3: ibm.patch
+# http://git.savannah.gnu.org/cgit/gzip.git/commit/?id=be0c5581e38332b2ffa8a4cf92076cfde02872b4
 Patch4: ibm2.patch
-Patch5: ibm4.patch
-Patch6: dfltcc-segfault.patch
-Patch7: ibm5.patch
+# https://lists.gnu.org/archive/html/bug-gzip/2019-06/msg00000.html
+#Patch5: ibm3.patch
+# https://lists.gnu.org/archive/html/bug-gzip/2019-07/msg00000.html
+Patch6: ibm4.patch
+Patch7: dfltcc-segfault.patch
+Patch8: ibm5.patch
+
+Patch9: cve-2022-1271-part1.patch
+Patch10: cve-2022-1271-part2.patch
+Patch11: cve-2022-1271-part3.patch

 # Fixed in upstream code.
 # http://thread.gmane.org/gmane.comp.gnu.gzip.bugs/378
@ -25,9 +34,9 @@ URL: http://www.gzip.org/
 # Requires should not be added for gzip wrappers (eg. zdiff, zgrep,
 # zless) of another tools, because gzip "extends" the tools by its
 # wrappers much more than it "requires" them.
-Requires: coreutils 
+Requires: /sbin/install-info
+Requires: coreutils
 BuildRequires: texinfo, gcc, autoconf, automake, less
-BuildRequires: make
 Conflicts: filesystem < 3
 Provides: /bin/gunzip
 Provides: /bin/gzip
@ -45,13 +54,17 @@ very commonly used data compression program.

 %prep
 %setup -q
-#%patch1 -p1 -b .gnulib
+%patch1 -p1 -b .gnulib
 %patch2 -p1 -b .gzexe
-%patch3 -p1 
-%patch4 -p1 
-%patch5 -p1 
-%patch6 -p1 
-%patch7 -p1 
+%patch3 -p1 -b .ibm
+%patch4 -p1 -b .ibm2
+#%patch5 -p1 -b .ibm3
+%patch6 -p1 -b .ibm4
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 cp %{SOURCE1} .
 autoreconf

@ -90,7 +103,20 @@ mkdir -p %{buildroot}%{profiledir}
 install -p -m 644 %{SOURCE100} %{buildroot}%{profiledir}
 install -p -m 644 %{SOURCE101} %{buildroot}%{profiledir}

+%post
+if [ -f %{_infodir}/gzip.info* ]; then
+    /sbin/install-info %{_infodir}/gzip.info.gz %{_infodir}/dir || :
+fi
+
+%preun
+if [ $1 = 0 ]; then
+    if [ -f %{_infodir}/gzip.info* ]; then
+        /sbin/install-info --delete %{_infodir}/gzip.info.gz %{_infodir}/dir || :
+    fi
+fi
+
 %files
+%defattr(-,root,root)
 %doc NEWS README AUTHORS ChangeLog THANKS TODO
 %{!?_licensedir:%global license %%doc}
 %license COPYING fdl-1.3.txt
@ -100,58 +126,48 @@ install -p -m 644 %{SOURCE101} %{buildroot}%{profiledir}
 %{profiledir}/*

 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.10-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Tue Apr 19 2022 Jakub Martisko <jamartis@redhat.com> - 1.9-13
+- fix an arbitrary-file-write vulnerability in zgrep
+Resolves: CVE-2022-1271

-* Fri Jul 30 2021 Jakub Martisko <jamartis@redhat.com> - 1.10-7
- Add the ibm patches dealing with s390x optimizations
-Resolves: rhbz#1986357
+* Thu Jan 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.9-12
+- Fix a test failure introduced by 1.9-10
+  Related: 1883204

-* Fri Jul 30 2021 Jakub Martisko <jamartis@redhat.com> - 1.10-6
- Add gating tests
-Resolves: rhbz#1986357
+* Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-11
+- Enable HW optimizations for modes 1-6 on s390x
+  Resolves: 1847436

-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.10-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Thu Oct 22 2020 Jakub Martisko <jamartis@redhat.com> - 1.9-10
+- Fix a segfault on some s390x machines when compressing multiple files
+  Resolves: 1883204

-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.10-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Mon Jul 15 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-9
+- Another fix for the s390 patch
+  Related: 1730332

-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+* Mon May 06 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-8
+- Apply fixes to the previous patch
+  Resolves: 1659434

-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+* Mon May 06 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-7
+- Apply the IBM s390x optimization patch
+  Resolves: 1659434

-* Fri Aug 09 2019 Jakub Martisko <jamartis@redhat.com> - 1.10-1
- Rebase to 1.10
+* Mon May 06 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-6
+- Release bump for gating rebuild
+  Related: 1681027

-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Tue Mar 26 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-9
+* Thu May 02 2019 Jakub Martisko <jamartis@redhat.com> - 1.9-5
 - Fix wrong skip size in gzexe
 - Add new test dealing with the ^^ (needs autoreconf)
 - Enable make check (needs less)
-  Related: 1690825
+  Resolves: 1705413

-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Thu Jul 26 2018 Jakub Martisko <jamartis@redhat.com> - 1.9-7
- Fix FTBFS bug (gnulib problems)
- more details: https://lists.gnu.org/r/bug-gnulib/2018-03/msg00000.html
-  Resolves 1604303
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Thu Mar 01 2018 Jakub Martisko <jamartis@redhat.com> - 1.9-5
- Fix previous commit (gcc was added to requires instead of buildrequires)
-
-* Thu Mar 01 2018 Jakub Martisko <jamartis@redhat.com> - 1.9-4
- Add gcc to buildrequires
+ * Tue Aug 07 2018 Jakub Martisko <jamartis@redhat.com> - 1.9-4
+ - Fix FTBFS bug (gnulib problems)
+ - more details: https://lists.gnu.org/r/bug-gnulib/2018-03/msg00000.html
+   Resolves 1611722

 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1.9-3
 - Escape macros in %%changelog