From: Marcus Hoffmann <marcus.hoffmann@othermo.de>
To: Baruch Siach <baruch@tkos.co.il>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 2/2] package/xz: backport CVE-2022-1271 security fix
Date: Tue, 19 Apr 2022 19:37:16 +0200 [thread overview]
Message-ID: <22e0669c-6221-0ae8-e8ce-b884cd1726c6@othermo.de> (raw)
In-Reply-To: <87tuapqaqw.fsf@tarshish>
Hi Baruch,
On 19.04.22 18:47, Baruch Siach via buildroot wrote:
> Hi Marcus,
>
> On Tue, Apr 19 2022, Marcus Hoffmann wrote:
>> Fixes the following security issue:
>>
>> CVE-2022-1271/ZDI-22-619/ZDI-CAN-16587: arbitrary-file-write vulnerability
>>
>> Malicious filenames can make xzgrep to write to arbitrary files
>> or (with a GNU sed extension) lead to arbitrary code execution.
>>
>> xzgrep from XZ Utils versions up to and including 5.2.5 are
>> affected. 5.3.1alpha and 5.3.2alpha are affected as well.
>> This patch works for all of them.
>>
>> This bug was inherited from gzip's zgrep. gzip 1.12 includes
>> a fix for zgrep.
>>
>> This vulnerability was discovered by:
>> cleemy desu wayo working with Trend Micro Zero Day Initiative
>>
>> https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
>> https://www.zerodayinitiative.com/advisories/ZDI-22-619/
>> https://www.openwall.com/lists/oss-security/2022/04/07/8
>> Signed-off-by: Marcus Hoffmann <marcus.hoffmann@othermo.de>
>> ---
>> package/xz/0001-xzgrep-ZDI-CAN-16587.patch | 96 ++++++++++++++++++++++
>> 1 file changed, 96 insertions(+)
>> create mode 100644 package/xz/0001-xzgrep-ZDI-CAN-16587.patch
>
> This patch should also add XZ_IGNORE_CVES in xz.mk.
>
> baruch
Indeed! But Peter already send a better patch that does this:
https://patchwork.ozlabs.org/project/buildroot/patch/20220419113409.1008586-1-peter@korsgaard.com/
Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-04-19 17:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-19 11:17 [Buildroot] [PATCH 1/2] package/gzip: security bump to 1.12 Marcus Hoffmann
2022-04-19 11:17 ` [Buildroot] [PATCH 2/2] package/xz: backport CVE-2022-1271 security fix Marcus Hoffmann
2022-04-19 16:47 ` Baruch Siach via buildroot
2022-04-19 17:27 ` Marcus Hoffmann
2022-04-19 17:37 ` Marcus Hoffmann [this message]
2022-04-19 20:31 ` [Buildroot] [PATCH 1/2] package/gzip: security bump to 1.12 Arnout Vandecappelle
2022-05-22 10:30 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=22e0669c-6221-0ae8-e8ce-b884cd1726c6@othermo.de \
--to=marcus.hoffmann@othermo.de \
--cc=baruch@tkos.co.il \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.