Bug 1198062 (CVE-2022-1271) - VUL-0: CVE-2022-1271: gzip,xz: Fix escaping of malicious filenames (ZDI-CAN-16587)
Summary: VUL-0: CVE-2022-1271: gzip,xz: Fix escaping of malicious filenames (ZDI-CAN-1...
Status: RESOLVED FIXED
: 1198333 (view as bug list)
Alias: CVE-2022-1271
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/328097/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1271:8.4:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-05 07:17 UTC by Gianluca Gabrielli
Modified: 2024-06-07 13:44 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Patch (3.41 KB, patch)
2022-04-05 07:18 UTC, Gianluca Gabrielli 		Details | Diff
Other patches (13.11 KB, patch)
2022-04-05 13:54 UTC, Gianluca Gabrielli 		Details | Diff
one more patch (4.02 KB, application/x-xz)
2022-04-06 07:14 UTC, Gianluca Gabrielli 		Details
gzip full patches series [*/7] (5.85 KB, patch)
2022-04-08 10:06 UTC, Gianluca Gabrielli 		Details | Diff
XZ patch (3.41 KB, patch)
2022-04-08 10:09 UTC, Gianluca Gabrielli 		Details | Diff
gzip full patches series [*/7] (18.85 KB, patch)
2022-04-08 10:12 UTC, Gianluca Gabrielli 		Details | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-04-05 07:17:41 UTC 
From distros private ML
-----------------------

This is to inform you of an exploitable bug in both GNU gzip's zgrep and
xzutils' xzgrep.  Running those tools on attacker-chosen file names can
result in writing attacker-chosen content to arbitrary attacker-chosen
files.  Both the selected content and the target file names are embedded
in crafted multi-line file names. With GNU sed, the exploit also enables
remote code execution via its "e" command.

This sounds bad, but may be relatively hard to exploit, other than by
means of "Here's a zip archive, download it and use x?zgrep to search
through it" (note that these programs reject --recursive/-r).  Of course,
if there is some scripted process (esp. if root-run) that runs x?zgrep on
potentially malicious files, ...

These bugs were discovered by
cleemy desu wayo working with Trend Micro Zero Day Initiative.

Both gzip and xzutils have unpublished fixes and are prepared
to make releases, but we wanted to ensure that no one here would like a delay.

If you think these deserve a CVE number and provide one,
we'll be sure to mention that in the commit logs.

I've attached Lasse's xzgrep patch and a zgrep-poc.sh.

If I hear no objection by the end of Wednesday, April 6, I expect we'll
release both gzip and xzutils soon after.
Comment 14 Gianluca Gabrielli 2022-04-08 06:17:40 UTC 
CVE-2022-1271 assigned
Comment 15 Gianluca Gabrielli 2022-04-08 08:30:00 UTC 
public on osss
Comment 18 Gianluca Gabrielli 2022-04-08 10:09:39 UTC 
Created attachment 857958 [details]
XZ patch

Same as the obsoleted one.I just re-upload it to have set a better name
Comment 19 Gianluca Gabrielli 2022-04-08 10:12:54 UTC 
Created attachment 857959 [details]
gzip full patches series [*/7]

This is the full series, including the missing 7th patch which still need to be applied.
Comment 20 OBSbugzilla Bot 2022-04-09 13:20:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1198062) was mentioned in
https://build.opensuse.org/request/show/968010 Factory / gzip
Comment 21 Christian Boltz 2022-04-10 15:04:27 UTC 
FYI: I submitted an AppArmor profile for zgrep and xzgrep that wil prevent exploiting this issue: https://build.opensuse.org/request/show/968253
Comment 23 Marcus Meissner 2022-04-11 13:54:29 UTC 
*** Bug 1198333 has been marked as a duplicate of this bug. ***
Comment 24 Michal Suchanek 2022-04-11 13:56:29 UTC 
Does this affect lzgrep/bzgrep?
Comment 25 Swamp Workflow Management 2022-04-12 16:21:19 UTC 
SUSE-SU-2022:1160-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud Crowbar 8 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud 9 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud 8 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP5 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xz-5.0.5-6.7.1
HPE Helion Openstack 8 (src):    xz-5.0.5-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-04-12 16:22:31 UTC 
SUSE-SU-2022:1158-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xz-5.2.3-150000.4.7.1
openSUSE Leap 15.3 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Server 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Retail Branch Server 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Proxy 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.0 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Enterprise Storage 7 (src):    xz-5.2.3-150000.4.7.1
SUSE Enterprise Storage 6 (src):    xz-5.2.3-150000.4.7.1
SUSE CaaS Platform 4.0 (src):    xz-5.2.3-150000.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-04-12 16:30:49 UTC 
SUSE-SU-2022:14938-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xz-5.0.3-0.12.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-04-17 19:18:46 UTC 
SUSE-SU-2022:1250-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1177047,1180713,1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    gzip-1.10-150000.4.12.1
SUSE Enterprise Storage 6 (src):    gzip-1.10-150000.4.12.1
SUSE CaaS Platform 4.0 (src):    gzip-1.10-150000.4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-04-20 10:20:57 UTC 
SUSE-SU-2022:1275-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud Crowbar 8 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud 9 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud 8 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gzip-1.6-9.6.2
HPE Helion Openstack 8 (src):    gzip-1.6-9.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-04-20 10:25:53 UTC 
SUSE-SU-2022:1272-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    gzip-1.10-4.11.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2022-05-10 16:18:01 UTC 
SUSE-SU-2022:1617-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1198062,1198922
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    gzip-1.10-150200.10.1
openSUSE Leap 15.3 (src):    gzip-1.10-150200.10.1
SUSE Manager Server 4.1 (src):    gzip-1.10-150200.10.1
SUSE Manager Retail Branch Server 4.1 (src):    gzip-1.10-150200.10.1
SUSE Manager Proxy 4.1 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.1 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.0 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    gzip-1.10-150200.10.1
SUSE Enterprise Storage 7 (src):    gzip-1.10-150200.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Gabriele Sonnu 2022-07-29 13:15:58 UTC 
Done
Comment 38 Dirk Mueller 2022-08-12 20:58:19 UTC 
Fixes for xzutils' xzgrep are missing.
Comment 39 Dirk Mueller 2022-08-12 21:00:42 UTC 
submitted as https://build.opensuse.org/request/show/994818
Comment 42 Gabriele Sonnu 2024-06-07 13:44:16 UTC 
All done, closing.