diff options
author | Ralph Siemsen <ralph.siemsen@linaro.org> | 2022-04-08 22:17:23 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-04-21 21:26:01 +0100 |
commit | 170ce893e750630a9180ac0ae087b8105418db05 (patch) | |
tree | 220e348ac27339aa5cdae6e786eb715a1269248c /meta/recipes-extended | |
parent | 08a3ac8403fa95fe1bccd052933fce1f9fc1a899 (diff) | |
download | poky-170ce893e750630a9180ac0ae087b8105418db05.tar.gz |
gzip: fix CVE-2022-1271
zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271
(From OE-Core rev: b7f0696bc60409af215549d26621526c1a93a002)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch | 45 | ||||
-rw-r--r-- | meta/recipes-extended/gzip/gzip_1.10.bb | 1 |
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch new file mode 100644 index 0000000000..046c95df47 --- /dev/null +++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001 | ||
2 | From: Lasse Collin <lasse.collin@tukaani.org> | ||
3 | Date: Mon, 4 Apr 2022 23:52:49 -0700 | ||
4 | Subject: [PATCH] zgrep: avoid exploit via multi-newline file names | ||
5 | |||
6 | * zgrep.in: The issue with the old code is that with multiple | ||
7 | newlines, the N-command will read the second line of input, | ||
8 | then the s-commands will be skipped because it's not the end | ||
9 | of the file yet, then a new sed cycle starts and the pattern | ||
10 | space is printed and emptied. So only the last line or two get | ||
11 | escaped. This patch makes sed read all lines into the pattern | ||
12 | space and then do the escaping. | ||
13 | |||
14 | This vulnerability was discovered by: | ||
15 | cleemy desu wayo working with Trend Micro Zero Day Initiative | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] | ||
18 | CVE: CVE-2022-1271 | ||
19 | |||
20 | Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> | ||
21 | --- | ||
22 | zgrep.in | 10 +++++++--- | ||
23 | 1 file changed, 7 insertions(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/zgrep.in b/zgrep.in | ||
26 | index 3efdb52..d391291 100644 | ||
27 | --- a/zgrep.in | ||
28 | +++ b/zgrep.in | ||
29 | @@ -222,9 +222,13 @@ do | ||
30 | '* | *'&'* | *'\'* | *'|'*) | ||
31 | i=$(printf '%s\n' "$i" | | ||
32 | sed ' | ||
33 | - $!N | ||
34 | - $s/[&\|]/\\&/g | ||
35 | - $s/\n/\\n/g | ||
36 | + :start | ||
37 | + $!{ | ||
38 | + N | ||
39 | + b start | ||
40 | + } | ||
41 | + s/[&\|]/\\&/g | ||
42 | + s/\n/\\n/g | ||
43 | ');; | ||
44 | esac | ||
45 | sed_script="s|^|$i:|" | ||
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb index 9778e687e1..c558c21f10 100644 --- a/meta/recipes-extended/gzip/gzip_1.10.bb +++ b/meta/recipes-extended/gzip/gzip_1.10.bb | |||
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+" | |||
4 | 4 | ||
5 | SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ | 5 | SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \ |
6 | file://run-ptest \ | 6 | file://run-ptest \ |
7 | file://CVE-2022-1271.patch \ | ||
7 | " | 8 | " |
8 | SRC_URI_append_class-target = " file://wrong-path-fix.patch" | 9 | SRC_URI_append_class-target = " file://wrong-path-fix.patch" |
9 | 10 | ||