* [Buildroot] [PATCH] package/gzip: security bump to version 1.12
@ 2022-04-19 11:25 Peter Korsgaard
2022-04-19 20:32 ` Arnout Vandecappelle
0 siblings, 1 reply; 2+ messages in thread
From: Peter Korsgaard @ 2022-04-19 11:25 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
- CVE-2022-1271: An arbitrary file write vulnerability was found in GNU
gzip's zgrep utility. When zgrep is applied on the attacker's chosen file
name (for example, a crafted file name), this can overwrite an attacker's
content to an arbitrary attacker-selected file. This flaw occurs due to
insufficient validation when processing filenames with two or more
newlines where selected content and the target file names are embedded in
crafted multi-line file names. This flaw allows a remote, low privileged
attacker to force zgrep to write arbitrary files on the system.
https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/gzip/gzip.hash | 4 ++--
package/gzip/gzip.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/gzip/gzip.hash b/package/gzip/gzip.hash
index 1cf73ff912..80b86f4797 100644
--- a/package/gzip/gzip.hash
+++ b/package/gzip/gzip.hash
@@ -1,6 +1,6 @@
# Locally calculated after checking pgp signature
-# https://ftp.gnu.org/gnu/gzip/gzip-1.11.tar.xz.sig
+# https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig
# using key 155D3FC500C834486D1EEA677FD9FCCB000BEEEE
-sha256 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907 gzip-1.11.tar.xz
+sha256 ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 gzip-1.12.tar.xz
# Locally calculated
sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
index 92588fcdb8..2092df363c 100644
--- a/package/gzip/gzip.mk
+++ b/package/gzip/gzip.mk
@@ -4,7 +4,7 @@
#
################################################################################
-GZIP_VERSION = 1.11
+GZIP_VERSION = 1.12
GZIP_SOURCE = gzip-$(GZIP_VERSION).tar.xz
GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
# Some other tools expect it to be in /bin
--
2.30.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH] package/gzip: security bump to version 1.12
2022-04-19 11:25 [Buildroot] [PATCH] package/gzip: security bump to version 1.12 Peter Korsgaard
@ 2022-04-19 20:32 ` Arnout Vandecappelle
0 siblings, 0 replies; 2+ messages in thread
From: Arnout Vandecappelle @ 2022-04-19 20:32 UTC (permalink / raw)
To: Peter Korsgaard, buildroot
On 19/04/2022 13:25, Peter Korsgaard wrote:
> Fixes the following security issues:
>
> - CVE-2022-1271: An arbitrary file write vulnerability was found in GNU
> gzip's zgrep utility. When zgrep is applied on the attacker's chosen file
> name (for example, a crafted file name), this can overwrite an attacker's
> content to an arbitrary attacker-selected file. This flaw occurs due to
> insufficient validation when processing filenames with two or more
> newlines where selected content and the target file names are embedded in
> crafted multi-line file names. This flaw allows a remote, low privileged
> attacker to force zgrep to write arbitrary files on the system.
>
> https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
I applied the patch that Marcus sent 8 minutes earlier instad.
Regards,
Arnout
> ---
> package/gzip/gzip.hash | 4 ++--
> package/gzip/gzip.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/gzip/gzip.hash b/package/gzip/gzip.hash
> index 1cf73ff912..80b86f4797 100644
> --- a/package/gzip/gzip.hash
> +++ b/package/gzip/gzip.hash
> @@ -1,6 +1,6 @@
> # Locally calculated after checking pgp signature
> -# https://ftp.gnu.org/gnu/gzip/gzip-1.11.tar.xz.sig
> +# https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig
> # using key 155D3FC500C834486D1EEA677FD9FCCB000BEEEE
> -sha256 9b9a95d68fdcb936849a4d6fada8bf8686cddf58b9b26c9c4289ed0c92a77907 gzip-1.11.tar.xz
> +sha256 ce5e03e519f637e1f814011ace35c4f87b33c0bbabeec35baf5fbd3479e91956 gzip-1.12.tar.xz
> # Locally calculated
> sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903 COPYING
> diff --git a/package/gzip/gzip.mk b/package/gzip/gzip.mk
> index 92588fcdb8..2092df363c 100644
> --- a/package/gzip/gzip.mk
> +++ b/package/gzip/gzip.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -GZIP_VERSION = 1.11
> +GZIP_VERSION = 1.12
> GZIP_SOURCE = gzip-$(GZIP_VERSION).tar.xz
> GZIP_SITE = $(BR2_GNU_MIRROR)/gzip
> # Some other tools expect it to be in /bin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-04-19 20:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-19 11:25 [Buildroot] [PATCH] package/gzip: security bump to version 1.12 Peter Korsgaard
2022-04-19 20:32 ` Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.