[ASA-202204-8] xz: arbitrary command execution
Levente Polyak
anthraxx at archlinux.org
Tue Apr 12 19:02:15 UTC 2022
Arch Linux Security Advisory ASA-202204-8
=========================================
Severity: High
Date : 2022-04-07
CVE-ID : CVE-2022-1271
Package : xz
Type : arbitrary command execution
Remote : No
Link : https://security.archlinux.org/AVG-2665
Summary
=======
The package xz before version 5.2.5-3 is vulnerable to arbitrary
command execution.
Resolution
==========
Upgrade to 5.2.5-3.
# pacman -Syu "xz>=5.2.5-3"
The problem has been fixed upstream but no release is available yet.
Workaround
==========
None.
Description
===========
Malicious filenames with two or more newlines can make zgrep and xzgrep
to write to arbitrary files or (with a GNU sed extension) lead to
arbitrary code execution. The issue with the old code is that with
multiple newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end of the
file yet, then a new sed cycle starts and the pattern space is printed
and emptied. So only the last line or two get escaped.
Impact
======
An attacker is able to provide malicious filenames to write to
arbitrary files or execute arbitrary commands on the affected host.
References
==========
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
https://savannah.gnu.org/forum/forum.php?forum_id=10157
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
https://security.archlinux.org/CVE-2022-1271
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20220412/40471b63/attachment.sig>
More information about the arch-security
mailing list