All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
@ 2022-04-19 11:34 Peter Korsgaard
  2022-04-19 12:35 ` Marcus Hoffmann
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-04-19 11:34 UTC (permalink / raw)
  To: buildroot

Fixes the following security issue:

- CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
  files or (with a GNU sed extension) lead to arbitrary code execution.

For more details, see the announcement and advisory:

https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
https://www.zerodayinitiative.com/advisories/ZDI-22-619/

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/xz/xz.hash | 1 +
 package/xz/xz.mk   | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/package/xz/xz.hash b/package/xz/xz.hash
index 3dd0cbe459..9577e98e80 100644
--- a/package/xz/xz.hash
+++ b/package/xz/xz.hash
@@ -1,5 +1,6 @@
 # Locally calculated after checking pgp signature
 sha256  5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df  xz-5.2.5.tar.bz2
+sha256  98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec  xzgrep-ZDI-CAN-16587.patch
 
 # Hash for license files
 sha256  bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c  COPYING
diff --git a/package/xz/xz.mk b/package/xz/xz.mk
index af611975a0..cdb01e06a9 100644
--- a/package/xz/xz.mk
+++ b/package/xz/xz.mk
@@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
 XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
 XZ_CPE_ID_VENDOR = tukaani
 
+XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
+# xzgrep-ZDI-CAN-16587.patch
+XZ_IGNORE_CVES += CVE-2022-1271
+
 ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
 XZ_CONF_OPTS += --enable-threads
 else
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
  2022-04-19 11:34 [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587 Peter Korsgaard
@ 2022-04-19 12:35 ` Marcus Hoffmann
  2022-04-19 20:32 ` Arnout Vandecappelle
  2022-05-22 10:29 ` Peter Korsgaard
  2 siblings, 0 replies; 4+ messages in thread
From: Marcus Hoffmann @ 2022-04-19 12:35 UTC (permalink / raw)
  To: buildroot

On 19.04.22 13:34, Peter Korsgaard wrote:
> Fixes the following security issue:
> 
> - CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
>    files or (with a GNU sed extension) lead to arbitrary code execution.
> 
> For more details, see the announcement and advisory:
> 
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
> https://www.zerodayinitiative.com/advisories/ZDI-22-619/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Ah, that's better than my attempt :-).

Reviewed-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>

> ---
>   package/xz/xz.hash | 1 +
>   package/xz/xz.mk   | 4 ++++
>   2 files changed, 5 insertions(+)
> 
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index 3dd0cbe459..9577e98e80 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,5 +1,6 @@
>   # Locally calculated after checking pgp signature
>   sha256  5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df  xz-5.2.5.tar.bz2
> +sha256  98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec  xzgrep-ZDI-CAN-16587.patch
>   
>   # Hash for license files
>   sha256  bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c  COPYING
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index af611975a0..cdb01e06a9 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
>   XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
>   XZ_CPE_ID_VENDOR = tukaani
>   
> +XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
> +# xzgrep-ZDI-CAN-16587.patch
> +XZ_IGNORE_CVES += CVE-2022-1271
> +
>   ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
>   XZ_CONF_OPTS += --enable-threads
>   else
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
  2022-04-19 11:34 [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587 Peter Korsgaard
  2022-04-19 12:35 ` Marcus Hoffmann
@ 2022-04-19 20:32 ` Arnout Vandecappelle
  2022-05-22 10:29 ` Peter Korsgaard
  2 siblings, 0 replies; 4+ messages in thread
From: Arnout Vandecappelle @ 2022-04-19 20:32 UTC (permalink / raw)
  To: Peter Korsgaard, buildroot



On 19/04/2022 13:34, Peter Korsgaard wrote:
> Fixes the following security issue:
> 
> - CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
>    files or (with a GNU sed extension) lead to arbitrary code execution.
> 
> For more details, see the announcement and advisory:
> 
> https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
> https://www.zerodayinitiative.com/advisories/ZDI-22-619/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   package/xz/xz.hash | 1 +
>   package/xz/xz.mk   | 4 ++++
>   2 files changed, 5 insertions(+)
> 
> diff --git a/package/xz/xz.hash b/package/xz/xz.hash
> index 3dd0cbe459..9577e98e80 100644
> --- a/package/xz/xz.hash
> +++ b/package/xz/xz.hash
> @@ -1,5 +1,6 @@
>   # Locally calculated after checking pgp signature
>   sha256  5117f930900b341493827d63aa910ff5e011e0b994197c3b71c08a20228a42df  xz-5.2.5.tar.bz2
> +sha256  98c6cb1042284fe704ec30083f3fc87364ce9ed2ea51f62bbb0ee9d3448717ec  xzgrep-ZDI-CAN-16587.patch
>   
>   # Hash for license files
>   sha256  bcb02973ef6e87ea73d331b3a80df7748407f17efdb784b61b47e0e610d3bb5c  COPYING
> diff --git a/package/xz/xz.mk b/package/xz/xz.mk
> index af611975a0..cdb01e06a9 100644
> --- a/package/xz/xz.mk
> +++ b/package/xz/xz.mk
> @@ -13,6 +13,10 @@ XZ_LICENSE = Public Domain, GPL-2.0+, GPL-3.0+, LGPL-2.1+
>   XZ_LICENSE_FILES = COPYING COPYING.GPLv2 COPYING.GPLv3 COPYING.LGPLv2.1
>   XZ_CPE_ID_VENDOR = tukaani
>   
> +XZ_PATCH = xzgrep-ZDI-CAN-16587.patch
> +# xzgrep-ZDI-CAN-16587.patch
> +XZ_IGNORE_CVES += CVE-2022-1271
> +
>   ifeq ($(BR2_TOOLCHAIN_HAS_THREADS),y)
>   XZ_CONF_OPTS += --enable-threads
>   else
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587
  2022-04-19 11:34 [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587 Peter Korsgaard
  2022-04-19 12:35 ` Marcus Hoffmann
  2022-04-19 20:32 ` Arnout Vandecappelle
@ 2022-05-22 10:29 ` Peter Korsgaard
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-05-22 10:29 UTC (permalink / raw)
  To: buildroot

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes the following security issue:
 > - CVE-2022-1271: Malicious filenames can make xzgrep to write to arbitrary
 >   files or (with a GNU sed extension) lead to arbitrary code execution.

 > For more details, see the announcement and advisory:

 > https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
 > https://www.zerodayinitiative.com/advisories/ZDI-22-619/

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-22 10:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-19 11:34 [Buildroot] [PATCH] package/xz: add upstream security fix for CVE-2022-1271 / ZDI-CAN-16587 Peter Korsgaard
2022-04-19 12:35 ` Marcus Hoffmann
2022-04-19 20:32 ` Arnout Vandecappelle
2022-05-22 10:29 ` Peter Korsgaard

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.