diff options
author | Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-04-08 22:17:15 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-21 21:26:01 +0100 |
commit | 62aefd3864e289c4ab71c80c4b27de93d184241a (patch) | |
tree | 2fd7774f89e555fd1fd3d57ee7f363c5d36f06f3 /meta/recipes-extended/xz | |
parent | f36e87ec4f6e2d45533001b8c4b39d72501a3b5e (diff) | |
download | poky-62aefd3864e289c4ab71c80c4b27de93d184241a.tar.gz |
xz: fix CVE-2022-1271
Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.
Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
CVE: CVE-2022-1271
(From OE-Core rev: da4180062f12aa855a0dd2c0dbe4f0721df67055)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended/xz')
-rw-r--r-- | meta/recipes-extended/xz/xz/CVE-2022-1271.patch | 96 | ||||
-rw-r--r-- | meta/recipes-extended/xz/xz_5.2.4.bb | 4 |
2 files changed, 99 insertions, 1 deletions
diff --git a/meta/recipes-extended/xz/xz/CVE-2022-1271.patch b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch new file mode 100644 index 0000000000..7841a534d3 --- /dev/null +++ b/meta/recipes-extended/xz/xz/CVE-2022-1271.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From 6bb2369742f9ff0451c245e8ca9b9dfac0cc88ba Mon Sep 17 00:00:00 2001 | ||
2 | From: Lasse Collin <lasse.collin@tukaani.org> | ||
3 | Date: Tue, 29 Mar 2022 19:19:12 +0300 | ||
4 | Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587). | ||
5 | |||
6 | Malicious filenames can make xzgrep to write to arbitrary files | ||
7 | or (with a GNU sed extension) lead to arbitrary code execution. | ||
8 | |||
9 | xzgrep from XZ Utils versions up to and including 5.2.5 are | ||
10 | affected. 5.3.1alpha and 5.3.2alpha are affected as well. | ||
11 | This patch works for all of them. | ||
12 | |||
13 | This bug was inherited from gzip's zgrep. gzip 1.12 includes | ||
14 | a fix for zgrep. | ||
15 | |||
16 | The issue with the old sed script is that with multiple newlines, | ||
17 | the N-command will read the second line of input, then the | ||
18 | s-commands will be skipped because it's not the end of the | ||
19 | file yet, then a new sed cycle starts and the pattern space | ||
20 | is printed and emptied. So only the last line or two get escaped. | ||
21 | |||
22 | One way to fix this would be to read all lines into the pattern | ||
23 | space first. However, the included fix is even simpler: All lines | ||
24 | except the last line get a backslash appended at the end. To ensure | ||
25 | that shell command substitution doesn't eat a possible trailing | ||
26 | newline, a colon is appended to the filename before escaping. | ||
27 | The colon is later used to separate the filename from the grep | ||
28 | output so it is fine to add it here instead of a few lines later. | ||
29 | |||
30 | The old code also wasn't POSIX compliant as it used \n in the | ||
31 | replacement section of the s-command. Using \<newline> is the | ||
32 | POSIX compatible method. | ||
33 | |||
34 | LC_ALL=C was added to the two critical sed commands. POSIX sed | ||
35 | manual recommends it when using sed to manipulate pathnames | ||
36 | because in other locales invalid multibyte sequences might | ||
37 | cause issues with some sed implementations. In case of GNU sed, | ||
38 | these particular sed scripts wouldn't have such problems but some | ||
39 | other scripts could have, see: | ||
40 | |||
41 | info '(sed)Locale Considerations' | ||
42 | |||
43 | This vulnerability was discovered by: | ||
44 | cleemy desu wayo working with Trend Micro Zero Day Initiative | ||
45 | |||
46 | Thanks to Jim Meyering and Paul Eggert discussing the different | ||
47 | ways to fix this and for coordinating the patch release schedule | ||
48 | with gzip. | ||
49 | |||
50 | Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch] | ||
51 | CVE: CVE-2022-1271 | ||
52 | |||
53 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
54 | --- | ||
55 | src/scripts/xzgrep.in | 20 ++++++++++++-------- | ||
56 | 1 file changed, 12 insertions(+), 8 deletions(-) | ||
57 | |||
58 | diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in | ||
59 | index a1fd19c..da1e65b 100644 | ||
60 | --- a/src/scripts/xzgrep.in | ||
61 | +++ b/src/scripts/xzgrep.in | ||
62 | @@ -178,22 +178,26 @@ for i; do | ||
63 | { test $# -eq 1 || test $no_filename -eq 1; }; then | ||
64 | eval "$grep" | ||
65 | else | ||
66 | + # Append a colon so that the last character will never be a newline | ||
67 | + # which would otherwise get lost in shell command substitution. | ||
68 | + i="$i:" | ||
69 | + | ||
70 | + # Escape & \ | and newlines only if such characters are present | ||
71 | + # (speed optimization). | ||
72 | case $i in | ||
73 | (*' | ||
74 | '* | *'&'* | *'\'* | *'|'*) | ||
75 | - i=$(printf '%s\n' "$i" | | ||
76 | - sed ' | ||
77 | - $!N | ||
78 | - $s/[&\|]/\\&/g | ||
79 | - $s/\n/\\n/g | ||
80 | - ');; | ||
81 | + i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');; | ||
82 | esac | ||
83 | - sed_script="s|^|$i:|" | ||
84 | + | ||
85 | + # $i already ends with a colon so don't add it here. | ||
86 | + sed_script="s|^|$i|" | ||
87 | |||
88 | # Fail if grep or sed fails. | ||
89 | r=$( | ||
90 | exec 4>&1 | ||
91 | - (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&- | ||
92 | + (eval "$grep" 4>&-; echo $? >&4) 3>&- | | ||
93 | + LC_ALL=C sed "$sed_script" >&3 4>&- | ||
94 | ) || r=2 | ||
95 | exit $r | ||
96 | fi >&3 5>&- | ||
diff --git a/meta/recipes-extended/xz/xz_5.2.4.bb b/meta/recipes-extended/xz/xz_5.2.4.bb index 67a6cbd569..6d80a4f2e9 100644 --- a/meta/recipes-extended/xz/xz_5.2.4.bb +++ b/meta/recipes-extended/xz/xz_5.2.4.bb | |||
@@ -23,7 +23,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=97d554a32881fee0aa283d96e47cb24a \ | |||
23 | file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ | 23 | file://lib/getopt.c;endline=23;md5=2069b0ee710572c03bb3114e4532cd84 \ |
24 | " | 24 | " |
25 | 25 | ||
26 | SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz" | 26 | SRC_URI = "https://tukaani.org/xz/xz-${PV}.tar.gz \ |
27 | file://CVE-2022-1271.patch \ | ||
28 | " | ||
27 | SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" | 29 | SRC_URI[md5sum] = "5ace3264bdd00c65eeec2891346f65e6" |
28 | SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" | 30 | SRC_URI[sha256sum] = "b512f3b726d3b37b6dc4c8570e137b9311e7552e8ccbab4d39d47ce5f4177145" |
29 | UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" | 31 | UPSTREAM_CHECK_REGEX = "xz-(?P<pver>\d+(\.\d+)+)\.tar" |