- Package:
- src:xz-utils
- Source:
- xz-utils
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2022-04-22 06:21:03 UTC
- Severity:
- grave
- Tags:
Source: xz-utils Version: 5.2.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: clone -1 -2 Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability Control: reassign -2 src:gzip 1.10-4 Control: found -2 1.9-3 Hi, The following vulnerability was published for xz-utils and gzip, both have to date assigned the same CVE, and cloning this bug as well for one for gzip. CVE-2022-1271[0]: | zgrep, xzgrep: arbitrary-file-write vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 [1] https://www.openwall.com/lists/oss-security/2022/04/07/8 [2] https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 [3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Dear maintainer, I've prepared an NMU for xz-utils (versioned as 5.2.5-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
Hi Jonathan, I noted that the last uploads done by Sebastian were NMUs, so hope it is uncontroversial that I rescheduled the fix to delayed/0 and direct upload tonight. There is not particular reason for the urgency, it's more that I would like to base the bullseye-security just on top of the 5.2.5-2.1 versioned 5.2.5-2.1~deb11u1 and have additionally the fix first exposed in unstable enough as well for regression testing. If that was a not welcome move and not having it only on delayed/2 then please let me know. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 10 Apr 2022 13:31:29 +0200
Source: xz-utils
Architecture: source
Version: 5.2.5-2.1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1009167
Changes:
xz-utils (5.2.5-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587)
(CVE-2022-1271) (Closes: #1009167)
Checksums-Sha1:
9fdfa1a890eb8f69b2025251ef3fe2b172c03655 2402 xz-utils_5.2.5-2.1.dsc
69f8b1d4badfb933756651e3cd38bbdec223a6c5 34916 xz-utils_5.2.5-2.1.debian.tar.xz
Checksums-Sha256:
338b5ec72d0d48a5fbb004926ebac8850eecd9626e38f6b50960ed975513b081 2402 xz-utils_5.2.5-2.1.dsc
24a1950b365b0922c3ef7f1475930bbcc64cdef04929f081b8ad5e2628ef2413 34916 xz-utils_5.2.5-2.1.debian.tar.xz
Files:
24c18fcb7164ea54925855d42e9efbb3 2402 utils optional xz-utils_5.2.5-2.1.dsc
fef1f22e19e49cfda82b66cb42a7dfc9 34916 utils optional xz-utils_5.2.5-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJSwktfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuE8P/2p8oQStrb9m1K507ZVY0xIUU4pN5A3s
+bNeNbknSTxjYvw14FTyGNbHJYen1gTf3GFw4YOOjW7XdmSl2r1vqz05j7hPGE4o
JE+BMTLBaKPVLDCQ05eQptUBI3VxH0v4v6C0ZEVM4rCP+MPl5C7ViffsX0ST80rk
a9eODzfdw+3pT9lTYpTYf+ONAQznXZ34/fWFnKFAPpFXY89iWG3zth6Bf8JjWlJ6
3zgai4nEl5yZtAZzzelcykEo1qzkzTbiThWzynyJ9qxhRRV6FuIRzKqjFlJJSGZE
RhUhYexvvZulY3UDlmDmrQn+sCHHlcEKF0MoD7Ifuts+ylEdc2+2f6kQKVwR/ZAe
F2k4ck9UrFeFmoTasI6Jdo9OJBqFHFReTZftCsq2wyXiKpZhS4QpSQFiL83ggy1v
RAkoqNpEHHm+FK1q8Dl4yUcBjjEX23Y3+jc94dmTOi8ZsurpEa4D5YqhLYsrb51K
aiMnDOZiYHQJWLgzmau1hMPZpYbAu8zPcQeRWkS+Lz/oiRkZn2Mgjt731pAbHyRI
NI19RQFwi5AEZsqlgQAJqCKsBQxgUqx0+vG9HQu9+/dKUgh0ZdpFf8rgh77iLKog
nZNZqN4eStJoyxBoutvJ8oA37IOD2D3wUUdPyX1cdxByirCLItFD3sXBxkRDj+y8
EYPemU5hIqE/
=NDmQ
-----END PGP SIGNATURE-----
Hi Salvatore, Salvatore Bonaccorso wrote: No problem at all. Thanks for your work! (And I'd be happy to have a new maintainer or co-maintainer if you're interested. :)) Thanks, Jonathan
Hi Jonathan, decline because I think I have already enough on my plate. FWIW, status update: have preapred as well corresponding security updates and we have scheduled for safety some regression testing as well. We plan to release the DSA in the next few days (similarly for gzip). Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 11 Apr 2022 16:51:17 +0200
Source: xz-utils
Architecture: source
Version: 5.2.4-1+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1009167
Changes:
xz-utils (5.2.4-1+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587)
(CVE-2022-1271) (Closes: #1009167)
Checksums-Sha1:
19e3aa08702827ad0cc2b3c9829661dd37be952d 2429 xz-utils_5.2.4-1+deb10u1.dsc
1d3a6910c28d40df0134f4a49e5570e8249120c5 1053868 xz-utils_5.2.4.orig.tar.xz
81f46b9cb92e2979fd7335e8ef6a5a01210f82f2 136768 xz-utils_5.2.4-1+deb10u1.debian.tar.xz
39efc04f540b17d41b567060103461178eafeb1b 7025 xz-utils_5.2.4-1+deb10u1_source.buildinfo
Checksums-Sha256:
6da82f913d22a8385837b3bb4fb9a89a34a07dea21ea6e73d22b9e225a5c895f 2429 xz-utils_5.2.4-1+deb10u1.dsc
9717ae363760dedf573dad241420c5fea86256b65bc21d2cf71b2b12f0544f4b 1053868 xz-utils_5.2.4.orig.tar.xz
fcf83de6468a928427734bca3a39d3813b6f0b6b5beeffaede35bba7f18e3746 136768 xz-utils_5.2.4-1+deb10u1.debian.tar.xz
95be31a5845ca12e0ff30b5b698f7863b3d17b093314701146eb8ecb3b3bb02a 7025 xz-utils_5.2.4-1+deb10u1_source.buildinfo
Files:
5419d0cd232cf7f772f0915c56695aeb 2429 utils optional xz-utils_5.2.4-1+deb10u1.dsc
003e4d0b1b1899fc6e3000b24feddf7c 1053868 utils optional xz-utils_5.2.4.orig.tar.xz
651dfa15e015bd3f8d135551010cc394 136768 utils optional xz-utils_5.2.4-1+deb10u1.debian.tar.xz
453579e38bade63162dc0dda87ff615c 7025 utils optional xz-utils_5.2.4-1+deb10u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJUQK5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EPSAP/jzpKk0sdO8RvIqY07jhptynhpNKAbmK
MnxY/71vKuvGn6YOpMdmvTTKVLz4KjiXLRyOjDGdGfxFwfxuQrhhmsb2y94GYiL2
l0Vw1EMxj0VtevpqUCG1/McNkPZTlpPDDMuXPEcQsdWYdUxxMhjEBTkPIB36xpeW
gXjWejIGScZ7j2G8SvwmwkVmd7xUfh6hHv4OxFKymrmi88ZJONhAmwcCJfVczSLR
8fJnN/P5tqem7fANUn0kGe4gNsDZ9WXH5sXjBwssXpkU8ao6OGjfrRHFV2Fvw8kb
Ru4vOAhoymfOkI9QrfwRrZS97MHUahZLlBu/VJeGb4+aC4fBhr+6D5U1dO4a+BGW
iBfHvjhgqjzuyYfgOVU6Kr5Oi6kIfVMZ8RgMtxKoB/Ob4/G3DM1jB/EXxGguqTm1
PjYiwoOzZDUI6+weZy7FY7TJsfPCdQGoQECqicisRApSFvrd9C559Z4KrNFoE/da
tdQSk7RufM4GaxxWeflWNEZ2QeQ/SyVGUHr3ybe3lNM2OTagopLObFFUPUxUJbZL
JcwH2cd+ZLqzkFpiX5RkiMSX6CjtzLQvM1Lvx8z/rbTP2ibFg5FpgdVmyhNECga3
Nm6hQxtfy+5qbDQYgdGyysQ2VcInYvT1y8to/zDbm+Tbjn8VPPPrUMzUBm2vK8cs
YgHU0Kpc1bFf
=WfBQ
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009167@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 11 Apr 2022 16:36:49 +0200
Source: xz-utils
Architecture: source
Version: 5.2.5-2.1~deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 1009167
Changes:
xz-utils (5.2.5-2.1~deb11u1) bullseye-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Rebuild for bullseye-security.
.
xz-utils (5.2.5-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587)
(CVE-2022-1271) (Closes: #1009167)
Checksums-Sha1:
aeca0b891c1321ca6b01d9edadb1bda13d7e0e72 2681 xz-utils_5.2.5-2.1~deb11u1.dsc
0b9d1e06b59f7fe0796afe1d93851b9306b4a3b6 1148824 xz-utils_5.2.5.orig.tar.xz
603dd6d6ac39e20b3d1e79f2ead99d060b07c6e2 833 xz-utils_5.2.5.orig.tar.xz.asc
c45283b5e9b7aeef049b46a5d9ab6a5c622dd5eb 34948 xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz
ed702f163bcb2b12ef8d1416e5c0d1271e6038ee 7033 xz-utils_5.2.5-2.1~deb11u1_source.buildinfo
Checksums-Sha256:
68a2702d252ab75789130fc9d2f48b9b38fc0181990c42a947b0d923d9d1922a 2681 xz-utils_5.2.5-2.1~deb11u1.dsc
3e1e518ffc912f86608a8cb35e4bd41ad1aec210df2a47aaa1f95e7f5576ef56 1148824 xz-utils_5.2.5.orig.tar.xz
6efc0075a58912e640119d2b52ef7d1518b260d8720fadc73df21ab7fc727624 833 xz-utils_5.2.5.orig.tar.xz.asc
07627e4c7a50ef91d64c177626507afd6107f44e27f4aacb5e41151d1399ff4f 34948 xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz
22cbe1cc589210d9c57230c2af41bc89ec0ffa6e961fbb540d6077c1f89c4c0b 7033 xz-utils_5.2.5-2.1~deb11u1_source.buildinfo
Files:
b9ab58414be08f6d0fc1fd6f0029c018 2681 utils optional xz-utils_5.2.5-2.1~deb11u1.dsc
aa1621ec7013a19abab52a8aff04fe5b 1148824 utils optional xz-utils_5.2.5.orig.tar.xz
aefee8195012884d039461b5073fbd7e 833 utils optional xz-utils_5.2.5.orig.tar.xz.asc
9a1aacd8445046da714369e9a3d49405 34948 utils optional xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz
8dcff42dd049df7c83fe42e22948976f 7033 utils optional xz-utils_5.2.5-2.1~deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJUPWNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EgZ8P/00Tv7FJ5lx1whTcliQ9bmuorZ+TJrLV
V2Dds91yqgFlbME3BTv1w9JEkTrigulQL3iy+ooiQiGGN7MpTE2QXddqDdEF4o12
LGA4qu3l5czSNNfNBCfPzeg40TakA2xebImRjXPzRW4SlGEOlGZFOvN7ZRQWW2im
3SL/UsZFLBYB4tioLmspEAjPJCkX7GAri9TDyoYAZsP/sCE++auVLN2/9/bMBsuW
N9xXoxORU/8zWM40S+mVwQHT56hs+d9oFc7iWxdgOxCit7o3wrCk5lyou73KCA73
jq5h4utukxxR7oKgBCqL0NlTLKOZlvsWIIRm0x3EkZKkAQj1YCztN5zR6ovDu5Bz
3fFbrGUjoTC+ffOlsf6qZmmXw2ZgG8gv8a+1Od2QrIw0Vg1h3ScJVl/vcbFqG6sg
r6VKUaLAeYUjeKfLYxgH47j+Pb9VAN48YHvapSS/FO8XXo6jlyGhAvs/EGl3nuGG
W34TNeILTkL9qk89MJftWHORQvvTP4kvkoA6cvRMnbg0NXHtyB83iDVhENihALGX
3V9Af0JMai6IzkKMwhud1GmpTBTeBuJYJgmjHptNj56aOHIh/VXyGVrsNIxFYsCr
HfER8bCHrHj5IE6Y6frZCjr2OOAkrBln0yNIRcU4mpGtoPLtnvma4QjmoNodrImd
G29OW9XtQCQC
=SEQt
-----END PGP SIGNATURE-----