| Message ID | 20220419112544.993456-1-peter@korsgaard.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | package/gzip: security bump to version 1.12 | expand |
On 19/04/2022 13:25, Peter Korsgaard wrote: > Fixes the following security issues: > > - CVE-2022-1271: An arbitrary file write vulnerability was found in GNU > gzip's zgrep utility. When zgrep is applied on the attacker's chosen file > name (for example, a crafted file name), this can overwrite an attacker's > content to an arbitrary attacker-selected file. This flaw occurs due to > insufficient validation when processing filenames with two or more > newlines where selected content and the target file names are embedded in > crafted multi-line file names. This flaw allows a remote, low privileged > attacker to force zgrep to write arbitrary files on the system. > > https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> I applied the patch that Marcus sent 8 minutes earlier instad. Regards, Arnout > --- > package/gzip/gzip.hash | 4 ++-- > package/gzip/gzip.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/gzip/gzip.hash b/package/gzip/gzip.hash > index 1cf73ff912..80b86f4797 100644 > --- a/package/gzip/gzip.hash > +++ b/package/gzip/gzip.hash > @@ -1,6 +1,6 @@ > # Locally calculated after checking pgp signature > -# https://ftp.gnu.org/gnu/gzip/gzip-1.11.tar.xz.sig > +# https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig > # using key 155D3FC500C834486D1EEA677FD9FCCB000BEEEE > -sha256 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907 gzip-1.11.tar.xz > +sha256 ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 gzip-1.12.tar.xz > # Locally calculated > sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING > diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk > index 92588fcdb8..2092df363c 100644 > --- a/package/gzip/gzip.mk > +++ b/package/gzip/gzip.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -GZIP_VERSION = 1.11 > +GZIP_VERSION = 1.12 > GZIP_SOURCE = gzip-$(GZIP_VERSION).tar.xz > GZIP_SITE = $(BR2_GNU_MIRROR)/gzip > # Some other tools expect it to be in /bin
diff --git a/package/gzip/gzip.hash b/package/gzip/gzip.hash index 1cf73ff912..80b86f4797 100644 --- a/package/gzip/gzip.hash +++ b/package/gzip/gzip.hash @@ -1,6 +1,6 @@ # Locally calculated after checking pgp signature -# https://ftp.gnu.org/gnu/gzip/gzip-1.11.tar.xz.sig +# https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig # using key 155D3FC500C834486D1EEA677FD9FCCB000BEEEE -sha256 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907 gzip-1.11.tar.xz +sha256 ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 gzip-1.12.tar.xz # Locally calculated sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk index 92588fcdb8..2092df363c 100644 --- a/package/gzip/gzip.mk +++ b/package/gzip/gzip.mk @@ -4,7 +4,7 @@ # ################################################################################ -GZIP_VERSION = 1.11 +GZIP_VERSION = 1.12 GZIP_SOURCE = gzip-$(GZIP_VERSION).tar.xz GZIP_SITE = $(BR2_GNU_MIRROR)/gzip # Some other tools expect it to be in /bin
Fixes the following security issues: - CVE-2022-1271: An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/gzip/gzip.hash | 4 ++-- package/gzip/gzip.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)