Debian CVE-2022-1271: gzip: overwrite an attacker's content to an arbitrary attacker-selected file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
ZhangXiao |
Bug Description
CVE-2022-1271: [https:/
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-1552 fixed 8.8 N L N N H
References:
https:/
['gzip_
Found during April 2022 CVE scan using vulscan
CVE References
Changed in starlingx: | |
status: | New → Triaged |
importance: | Undecided → Medium |
information type: | Public → Public Security |
tags: | added: stx.8.0 stx.security |
Changed in starlingx: | |
assignee: | nobody → Yue Tao (wrytao) |
Changed in starlingx: | |
assignee: | Yue Tao (wrytao) → ZhangXiao (zhangxiao-windriver) |
Changed in starlingx: | |
status: | Triaged → In Progress |
Reviewed: https:/ /review. opendev. org/c/starlingx /tools/ +/863609 /opendev. org/starlingx/ tools/commit/ 4344cb713fb86e7 70eb1d65ca3c299 915a53f5fb
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 4344cb713fb86e7 70eb1d65ca3c299 915a53f5fb
Author: Zhang Xiao <email address hidden>
Date: Fri Nov 4 18:15:10 2022 +0800
Debian: gzip, xz-utils: fix CVE-2022-1271
Upgrade gzip to 1.10-4+deb11u1
Upgrade xz-utils to 5.2.5-2.1~deb11u1
Refer to: /security- tracker. debian. org/tracker/ CVE-2022- 1271
https:/
Test Plan:
Pass: build image
Closes-bug: #1994113
Signed-off-by: Zhang Xiao <email address hidden> 4fa4167c7e8520f d0baf7b8224
Change-Id: Ieea13dda4c4ef1