Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 837155 - <app-arch/xz-utils-5.2.5-r2: Incorrect escaping for filenames in zgrep
Summary: <app-arch/xz-utils-5.2.5-r2: Incorrect escaping for filenames in zgrep
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on: 837158
Blocks: CVE-2022-1271
  Show dependency tree
 
Reported: 2022-04-07 18:05 UTC by Sam James
Modified: 2022-09-07 03:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-07 18:05:57 UTC 
Patch upstream but no new release.
Comment 1 Larry the Git Cow gentoo-dev 2022-04-07 18:11:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f5e1e0856c8c0fd62343a53590e2f29266a85d54

commit f5e1e0856c8c0fd62343a53590e2f29266a85d54
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-04-07 18:10:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-07 18:10:32 +0000

    app-arch/xz-utils: patch xzgrep vulnerability (ZDI-CAN-16587)
    
    Bug: https://bugs.gentoo.org/837155
    Signed-off-by: Sam James <sam@gentoo.org>

 .../xz-utils-5.2.5-xzgrep-ZDI-CAN-16587.patch      |  88 +++++++++++++++
 app-arch/xz-utils/xz-utils-5.2.5-r2.ebuild         | 118 +++++++++++++++++++++
 2 files changed, 206 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2022-09-07 03:01:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=142c539cc4c68c3dc0a3c55f8a7996f7a5b3c3d6

commit 142c539cc4c68c3dc0a3c55f8a7996f7a5b3c3d6
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-07 02:51:56 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-07 02:58:05 +0000

    [ GLSA 202209-01 ] GNU Gzip, XZ Utils: Arbitrary file write
    
    Bug: https://bugs.gentoo.org/837152
    Bug: https://bugs.gentoo.org/837155
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-01.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-07 03:19:45 UTC 
GLSA released, all done!