#1009168 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability

Package:
src:gzip
Source:
gzip
Submitter:
Salvatore Bonaccorso
Date:
2022-04-22 06:21:05 UTC
Severity:
grave
Tags:
#1009168#5
Date:
2022-04-08 04:52:42 UTC
From:
To:
Source: xz-utils
Version: 5.2.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability
Control: reassign -2 src:gzip 1.10-4
Control: found -2 1.9-3

Hi,

The following vulnerability was published for xz-utils and gzip, both
have to date assigned the same CVE, and cloning this bug as well for
one for gzip.

CVE-2022-1271[0]:
| zgrep, xzgrep: arbitrary-file-write vulnerability

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-1271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
[1] https://www.openwall.com/lists/oss-security/2022/04/07/8
[2] https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
[3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1009168#28
Date:
2022-04-10 03:03:48 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Milan Kupcevic <milan@debian.org> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 09 Apr 2022 22:22:26 -0400
Source: gzip
Architecture: source
Version: 1.12-1
Distribution: sid
Urgency: high
Maintainer: Milan Kupcevic <milan@debian.org>
Changed-By: Milan Kupcevic <milan@debian.org>
Closes: 149775 1009168
Changes:
 gzip (1.12-1) sid; urgency=high
 .
   * new upstream release
     - zgrep: fix arbitrary-file-write vulnerability
       address CVE-2022-1271 (closes: #1009168)
     - report correct length of 4 GiB and larger files (closes: #149775)
     - zgrep: fix "binary file matches" mislabeling; remove
       zgrep-syntax-error.diff patch
     - gzip: port to SIGPIPE-less platforms; remove sigpipe.diff patch
     - gzexe: fix count of lines to skip; remove corresponding patch
   * set standards version to 4.6.0
   * update copyright notice
Checksums-Sha1:
 4db4932740e481782b9487f62059278872faac41 2009 gzip_1.12-1.dsc
 318107297587818c8f1e1fbb55962f4b2897bc0b 825548 gzip_1.12.orig.tar.xz
 981d0a887e94223ceb31930395b34af5e8e21270 833 gzip_1.12.orig.tar.xz.asc
 7208c37128ef7dcd949913b49475ac7a09cfb60a 18736 gzip_1.12-1.debian.tar.xz
 f2836da5694551e14eb81c4ae108a2e6229f3521 7370 gzip_1.12-1_amd64.buildinfo
Checksums-Sha256:
 49a287787a0b4fc816eb576c011c472d1f630ec1778dfa120bd7fce4a844c253 2009 gzip_1.12-1.dsc
 ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 825548 gzip_1.12.orig.tar.xz
 3ed9ab54452576e0be0d477c772c9f47baa36415133fef7dd1fcf7b15480ba32 833 gzip_1.12.orig.tar.xz.asc
 fcf2317e8eeddd66766ec5f3853025b109bd13815ec86ed6563e1af68d17193a 18736 gzip_1.12-1.debian.tar.xz
 54b6d99094516ce5ee993b5176c48753908f16628b944ea80975629aa8b3b091 7370 gzip_1.12-1_amd64.buildinfo
Files:
 7330ad11030af6a41177b5abbcd2aa90 2009 utils required gzip_1.12-1.dsc
 9608e4ac5f061b2a6479dc44e917a5db 825548 utils required gzip_1.12.orig.tar.xz
 431c7f48daf19af368c0bdc483f830a5 833 utils required gzip_1.12.orig.tar.xz.asc
 6c75c37b14877fadf4733520164136a4 18736 utils required gzip_1.12-1.debian.tar.xz
 3fcedc2f6569ee099684c3aa48ad0bd0 7370 utils required gzip_1.12-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHFBAEBCgAvFiEEVkf/m69krCYf+z+G6e1ngbRVCQ4FAmJSRNsRHG1pbGFuQGRl
Ymlhbi5vcmcACgkQ6e1ngbRVCQ6ujwwAvqbrGRMGRQCq54Tp9aMJNFz0W+CJ4woW
q46Fp9UdY+gL3roOvKRGYK5blcMBjWkqGjXT1lqiK80UIevzIGwQ4/VZaO+fXjph
PEXcMaaBUW7g3E8PPEdf06sa0W4eYRDQqR+5DFv6tCp/CQdyLz9ii1h8pOXT/mf/
J4DjYeqtyllMlSaYFMBH5I4mS+j/iTMgVGdWK4kcXv9pa3IuQDPfpV2bj5/oOohV
1NDCjjahjwWlj8WznxGhyKY3m1dyxT+lJiQpJZge2bsVN7Prv8Qez7ibgFuAow9u
Ew5wkpaR455iFYO3LZwsZhxPnSFtqF80obh3LnF54WLWrIhNuUQQtXkFcXlZQdgy
+sUWHiY/ayPij1u2wfEQZhAttavXFyTpGfG5fyK1KYomfrzYkzElyIkihBygSMOV
BGCkBCUK/6xwLB5kJC2VpoLrMHDzOxuBbkeOjlLeAVLJ74vvUGo4+BbTtDx8icJl
KZcIVUP4mAdN6pnYUaHuWRRf/Ugl4Zj1
=hX/a
-----END PGP SIGNATURE-----
#1009168#33
Date:
2022-04-22 06:02:29 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Milan Kupcevic <milan@debian.org> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 15 Apr 2022 14:16:55 -0400
Source: gzip
Architecture: source
Version: 1.9-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Milan Kupcevic <milan@debian.org>
Closes: 1009168
Changes:
 gzip (1.9-3+deb10u1) buster-security; urgency=high
 .
   * zgrep: fix arbitrary-file-write vulnerability
     addressing CVE-2022-1271 (closes: #1009168)
   * debian/rules: set execute mode bit on test scripts
Checksums-Sha1:
 feb7374a5e034f3782e992c6001c8fdc45e4a01c 1842 gzip_1.9-3+deb10u1.dsc
 7d32532059ff1fcec87cc44b86f9456719e0485f 1181937 gzip_1.9.orig.tar.gz
 74b8550625dce878120f065390b58c0e2c0811ee 17984 gzip_1.9-3+deb10u1.debian.tar.xz
 a451a46e6ec7be97cfc3d27e31d2d3fa6dc1992e 6661 gzip_1.9-3+deb10u1_amd64.buildinfo
Checksums-Sha256:
 9d59e20581097941df44eff5cafb2ed8f3fd416278fbd08723048f6020ccc052 1842 gzip_1.9-3+deb10u1.dsc
 5d2d3a3432ef32f24cdb060d278834507b481a75adeca18850c73592f778f6ad 1181937 gzip_1.9.orig.tar.gz
 47e692e16f5e1d950fc7a259dc1418c7988dd33f659109e59af90a3384ec01ae 17984 gzip_1.9-3+deb10u1.debian.tar.xz
 9b88ad72e38a6ffda804030b53902b9e840b04b11ba7d75764be061b70122839 6661 gzip_1.9-3+deb10u1_amd64.buildinfo
Files:
 789b70393726b2e2b4203a61da61d82b 1842 utils required gzip_1.9-3+deb10u1.dsc
 929d6a6b832f75b28e3eeeafb30c1d9b 1181937 utils required gzip_1.9.orig.tar.gz
 4671c1899db302a584e2f1f72bdf0856 17984 utils required gzip_1.9-3+deb10u1.debian.tar.xz
 8691b98f7b3066854d7da26c89228621 6661 utils required gzip_1.9-3+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHFBAEBCgAvFiEEVkf/m69krCYf+z+G6e1ngbRVCQ4FAmJa6d4RHG1pbGFuQGRl
Ymlhbi5vcmcACgkQ6e1ngbRVCQ4eSwwAkwPLIBj6EXQ7cK3uOWj8h4d0BmAj85u5
/lB3ti+iUUeBxrieDw6eU2moVWbob9uXVrzerJmD2H8P8G1a5UsGHO7yGh64zVt7
BaseqH2bhiLOnsKvQ+3Z+W+u3Q16T+bnSjQT6mRMzni8JEK0PaQYHdnMJ0LzVH5V
j3/p2U30L+IcEwibz9lOr0qdetIdvOncZU+nLArU0dufl5PzLDst+WI88Q1C9c5H
h96/gEXvvw1ypDzytzqgR/pmXuTT4Bb6ItO3B9wn+c2MLlYhGPo/gKA5kAc5ytHa
ERgwAb64nDxveI2eXwShQWoE3BchM35v3QjN2y1sW9BZNTe8MXuaepoGrzenH9ul
nlVTZ93DwxJ38UguUnjjFxsyjO8OpHJA8Kdi0X3Xp4+pfvaLvr9jEnm14Gb2hLbM
LTSfq/1SEQc+cEGSJeWYnVPvziIPBSAtbycvayqwZFFUS63wiEpJehX73v/V/2d8
94spqtY/mQKOTXFWS2rHLWkAV456LXQc
=VDTe
-----END PGP SIGNATURE-----
#1009168#38
Date:
2022-04-22 06:17:07 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
gzip, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1009168@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Milan Kupcevic <milan@debian.org> (supplier of updated gzip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 10 Apr 2022 01:50:32 -0400
Source: gzip
Architecture: source
Version: 1.10-4+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Milan Kupcevic <milan@debian.org>
Changed-By: Milan Kupcevic <milan@debian.org>
Closes: 1009168
Changes:
 gzip (1.10-4+deb11u1) bullseye-security; urgency=high
 .
   * zgrep: fix arbitrary-file-write vulnerability
     addressing CVE-2022-1271 (closes: #1009168)
Checksums-Sha1:
 594413de8fe673dd1b7d6f819455e5e5b973a902 1812 gzip_1.10-4+deb11u1.dsc
 88ef05b5415b7124fdad9976cac8dd29cd915f69 1201421 gzip_1.10.orig.tar.gz
 203d8a49717624ef22e35417cf590fd4cfcf5d5d 22952 gzip_1.10-4+deb11u1.debian.tar.xz
 071a3f7bb8867017365bbda6aa20bc2b1d659d06 7569 gzip_1.10-4+deb11u1_amd64.buildinfo
Checksums-Sha256:
 0bcc813d124297ae741573b30db5faefec038aff92616d6ba014f859703f5acf 1812 gzip_1.10-4+deb11u1.dsc
 c91f74430bf7bc20402e1f657d0b252cb80aa66ba333a25704512af346633c68 1201421 gzip_1.10.orig.tar.gz
 183338e989ad327fca8c3281e8452c571bafed0c3cca0b6cea269a34b8dc19d2 22952 gzip_1.10-4+deb11u1.debian.tar.xz
 d6eabc3167290e67f01f561a09146596a0896578fe86863f91f6cb9d1703e3ea 7569 gzip_1.10-4+deb11u1_amd64.buildinfo
Files:
 72ba9d8d8a976ecc709c4a2b0c6ed875 1812 utils required gzip_1.10-4+deb11u1.dsc
 cf9ee51aff167ff69844d5d7d71c8b20 1201421 utils required gzip_1.10.orig.tar.gz
 7af1a1f7352fbfd60a24a98798eaab18 22952 utils required gzip_1.10-4+deb11u1.debian.tar.xz
 2ee36dac9d3688847c823047eced8414 7569 utils required gzip_1.10-4+deb11u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHFBAEBCgAvFiEEVkf/m69krCYf+z+G6e1ngbRVCQ4FAmJUJmgRHG1pbGFuQGRl
Ymlhbi5vcmcACgkQ6e1ngbRVCQ4lPAv+Pt76RpCVJJI6pYfaLeRButt3HXjgOm96
t4KttNiRkH5knRAP9cyS4RhPLe4sxTlEVd1zGHvL4zPr3xJLnyfEzB2mgmKngpci
ILCf7uPv8p2iBB5CjfFfb2FRb0RJVwbxzCe9bqRHrK0BuIlKvfrIqXHuPSHTBRT8
DS34UVCQlQkj9u9IWTHsjuoYbF5MrfJ25R7Cj98snhYQhm9JQZYnbEM1WZ5ugAEM
A5bS9xWhonQaDrhFFppneFBzZyWn/0FeXC2v7mw/TdF4bx/7m3AKP32FrO6fa4Wc
QUQ51YX2LMccxUQoWQP/yaGBJzavRcJGOQiFskvap2H8Xfi6IlttdBYeg160r6nV
2gCcnT48CaR7xNAedESlx9ra7oGzk4iXalil51139iAi7PebnNp+fVaV95xpbApu
8FSVFXc9RWzty/obdZb0cyqz4zysFYld3wAAPa5E1jQwa03rRwoaZ6CQ+hUarpbN
atY1KsmUb0NDxApZZhrIKE6tAZx62H8N
=VdZY
-----END PGP SIGNATURE-----