StarlingX

Debian CVE-2022-1271: gzip: overwrite an attacker's content to an arbitrary attacker-selected file

Bug #1994113 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
ZhangXiao

Bug Description

CVE-2022-1271: [https://nvd.nist.gov/vuln/detail/CVE-2022-1271]
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-1552 fixed 8.8 N L N N H

References:
https://security-tracker.debian.org/tracker/CVE-2022-1271

['gzip_1.10-4_amd64.deb===>gzip_1.10-4+deb11u1_amd64.deb']

Found during April 2022 CVE scan using vulscan

CVE References

Ghada Khalil (gkhalil)
Changed in starlingx:
status: New → Triaged
importance: Undecided → Medium
information type: Public → Public Security
tags: added: stx.8.0 stx.security
Changed in starlingx:
assignee: nobody → Yue Tao (wrytao)
ZhangXiao (zhangxiao-windriver)
Changed in starlingx:
assignee: Yue Tao (wrytao) → ZhangXiao (zhangxiao-windriver)
OpenStack Infra (hudson-openstack)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/863609
Committed: https://opendev.org/starlingx/tools/commit/4344cb713fb86e770eb1d65ca3c299915a53f5fb
Submitter: "Zuul (22348)"
Branch: master

commit 4344cb713fb86e770eb1d65ca3c299915a53f5fb
Author: Zhang Xiao <email address hidden>
Date: Fri Nov 4 18:15:10 2022 +0800

    Debian: gzip, xz-utils: fix CVE-2022-1271

    Upgrade gzip to 1.10-4+deb11u1
    Upgrade xz-utils to 5.2.5-2.1~deb11u1

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2022-1271

    Test Plan:
    Pass: build image

    Closes-bug: #1994113

    Signed-off-by: Zhang Xiao <email address hidden>
    Change-Id: Ieea13dda4c4ef14fa4167c7e8520fd0baf7b8224

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
ZhangXiao (zhangxiao-windriver) wrote :

binary package liblzma5 build from xz-utils, also need to be upgraded.

Technically for packages build from source package xz-utils, this CVE only effect on xz-utils, while we should upgrade all binary packages, not parts of them. So liblzma5 also need to be upgraded, to the same version of binary package xz-utils.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/880287

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tools (master)

Change abandoned by "ZhangXiao <email address hidden>" on branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/880287
Reason: Not boot test yet

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/880287
Committed: https://opendev.org/starlingx/tools/commit/f86663e0fb3a1b291dbdf16ffb1b139b63ba7818
Submitter: "Zuul (22348)"
Branch: master

commit f86663e0fb3a1b291dbdf16ffb1b139b63ba7818
Author: Zhang Xiao <email address hidden>
Date: Thu Apr 13 19:48:01 2023 +0800

    Debian: liblzma5: fix CVE-2022-1271

    Upgrade liblzma5 to 5.2.5-2.1~deb11u1

    CVE-2022-1271 effects on source package gzip and xz-utils.
    Commit 4344cb713f upgraded binary package gzip and xz-utils.
    Upgrade xz-utils to 5.2.5-2.1~deb11u1. While binary package
    liblzma5 is also build from xz-utils, it also need to be
    upgraded, to the same version as xz-utils.

    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2022-1271

    Test Plan:
    Pass: downloader
    Pass: build-pkgs --clean --all
    Pass: build image
    Pass: boot

    Closes-bug: #1994113

    Change-Id: Ieaf1dabc58e8d3177f190a525d481b1e71f962d8
    Signed-off-by: Zhang Xiao <email address hidden>

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.