78 lines
2.2 KiB
Diff
78 lines
2.2 KiB
Diff
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
|
|
From: Jim Meyering <meyering@fb.com>
|
|
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
Subject: zgrep: add NEWS and tests for this exploitable bug
|
|
|
|
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
|
|
* tests/Makefile.am (TESTS): Add it.
|
|
* NEWS: Mention the exploit.
|
|
The bug appears to have been present since the beginning.
|
|
---
|
|
tests/Makefile.am | 1 +
|
|
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 45 insertions(+)
|
|
create mode 100755 tests/zgrep-abuse
|
|
|
|
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
index d09672e..5f148d6 100644
|
|
--- a/tests/Makefile.am
|
|
+++ b/tests/Makefile.am
|
|
@@ -36,6 +36,7 @@ TESTS = \
|
|
z-suffix \
|
|
zdiff \
|
|
zgrep-f \
|
|
+ zgrep-abuse \
|
|
zgrep-context \
|
|
zgrep-signal \
|
|
znew-k
|
|
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
|
|
new file mode 100755
|
|
index 0000000..3e8a8f9
|
|
--- /dev/null
|
|
+++ b/tests/zgrep-abuse
|
|
@@ -0,0 +1,41 @@
|
|
+#!/bin/sh
|
|
+# Show how zgrep applied to a crafted file name may overwrite
|
|
+# a selected file with chosen content. Fixed in gzip-1.12.
|
|
+
|
|
+# Copyright (C) 2022 Free Software Foundation, Inc.
|
|
+
|
|
+# This program is free software: you can redistribute it and/or modify
|
|
+# it under the terms of the GNU General Public License as published by
|
|
+# the Free Software Foundation, either version 3 of the License, or
|
|
+# (at your option) any later version.
|
|
+
|
|
+# This program is distributed in the hope that it will be useful,
|
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+# GNU General Public License for more details.
|
|
+
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
+# limit so don't run it by default.
|
|
+
|
|
+. "${srcdir=.}/init.sh"; path_prepend_ ..
|
|
+
|
|
+: > z || framework_failure_
|
|
+echo test |gzip > 'z|
|
|
+p
|
|
+1s|.*|chosen-content|
|
|
+1w hacked
|
|
+etouch .\x2fhacked2
|
|
+d
|
|
+#
|
|
+#' || framework_failure_
|
|
+
|
|
+fail=0
|
|
+
|
|
+zgrep test z* > /dev/null
|
|
+
|
|
+# Before the fix, each of these would be created.
|
|
+test -f hacked && fail=1
|
|
+test -f hacked2 && fail=1
|
|
+
|
|
+Exit $fail
|
|
--
|
|
cgit v1.1
|
|
|