PR#7: xzgrep: arbitrary code-execuction and file-write vulnerability (#2073310, CVE-2022-1271) - rpms/xz

		`@@ -0,0 +1,75 @@`
		`+ -----BEGIN PGP PUBLIC KEY BLOCK-----`
		`+`
		`+ mQINBEzEOZIBEACxg/IuXERlDB48JBWmF4NxNUuuup1IhJAJyFGFSKh3OGAO2Ard`
		`+ sNuRLjANsFXA7m7P5eTFcG+BoHHuAVYmKnI3PPZtHVLnUt4pGItPczQZ2BE1WpcI`
		`+ ayjGTBJeKItX3Npqg9D/odO9WWS1i3FQPVdrLn0YH37/BA66jeMQCRo7g7GLpaNf`
		`+ IrvYGsqTbxCwsmA37rpE7oyU4Yrf74HT091WBsRIoq/MelhbxTDMR8eu/dUGZQVc`
		`+ Kj3lN55RepwWwUUKyqarY0zMt4HkFJ7v7yRL+Cvzy92Ouv4Wf2FlhNtEs5LE4Tax`
		`+ W0PO5AEmUoKjX87SezQK0f652018b4u6Ex52cY7p+n5TII/UyoowH6+tY8UHo9yb`
		`+ fStrqgNE/mY2bhA6+AwCaOUGsFzVVPTbjtxL3HacUP/jlA1h78V8VTvTs5d55iG7`
		`+ jSqR9o05wje8rwNiXXK0xtiJahyNzL97Kn/DgPSqPIi45G+8nxWSPFM5eunBKRl9`
		`+ vAnsvwrdPRsR6YR3uMHTuVhQX9/CY891MHkaZJ6wydWtKt3yQwJLYqwo5d4DwnUX`
		`+ CduUwSKv+6RmtWI5ZmTQYOcBRcZyGKml9X9Q8iSbm6cnpFXmLrNQwCJN+D3SiYGc`
		`+ MtbltZo0ysPMa6Xj5xFaYqWk/BI4iLb2Gs+ByGo/+a0Eq4XYBMOpitNniQARAQAB`
		`+ tCdMYXNzZSBDb2xsaW4gPGxhc3NlLmNvbGxpbkB0dWthYW5pLm9yZz6JAlEEEwEK`
		`+ ADsCGwMCHgECF4AECwkIBwMVCggFFgIDAQAWIQQ2kMJAzlG0Zw0wrRw47nV9aRhG`
		`+ IAUCYEt9dQUJFxeR4wAKCRA47nV9aRhGIBNDEACxD6vJ+enZwe3IgkJh5JtLsC9b`
		`+ MWCQRlPW1EVMsg96Cb5Rtron1eN1pp1TlzENJu1/C7C/VEsr9WwOPg26Men7fNf/`
		`+ O21QM9IBWd/uB0Pu333WqKh92ESS5x9ST9DrG39nVGSPkQQBMuia72VrA+crPnwT`
		`+ /h/u1IN6/sff5VDIU24rUiqW2Npy733dANruj7Ny0scRXVPltnVdhqwPHt6qNjC1`
		`+ t+/cCnwHgW1BR1RYXBPpB42z/m29dL9rPrG0YPGWs2Bc+EATUICfEE6eIvwfciue`
		`+ IJTjKT9Y9DrogJC2AYFhjC7N04OKdCB2hFs4BjexJwr4X0GJO7LhFl03c951AsIE`
		`+ GHwrucRPB5bo2vmvQ8IvZn7CmtdUJzXv9JlyU6p+MIK1pz7TK6GgSOSffQIXZn6e`
		`+ nUPtm9mEwuncOfmW8/ODYPs1gCWYgyiFJx8h7eEu+M4MxHSFBs7MwXf/Ae2fSp+M`
		`+ P/p198qB8fC5oVBnF95qb0Qi0uc1D+Gb+gpBF+ymMb+s/VBOR3QWiym7AzBrJ62g`
		`+ UnbC9jMLGnSRI+7p7raUfMTgXr5/oQoBw7ExJVltSSRrim2YH/t4CV47mO6dR9J3`
		`+ 1RtsTFIRNhz+07XPsETcuCV/dgqeC8fOFLt9MY17Sufhb1DcGy4urZBOIhXcpTV7`
		`+ vHVj5IYH5nYOT49NRYkCOAQTAQIAIgUCTMQ5kgIbAwYLCQgHAwIGFQgCCQoLBBYC`
		`+ AwECHgECF4AACgkQOO51fWkYRiAg4A/7BXKwoRaXrMbMPOW7vuVF7c2IKB2Yqzn1`
		`+ vLBCwuEHkqY237lDcXY4/5LR+1gcZ3Duw1n/BRSm0FBdvyX/JTWiWNSDUkKAO/0l`
		`+ T2Tg44YLrDT3bzwu8dbU9xQt6kH+SCOHvv5Oe4k79l5mro6fF3H1M0bN63x/YoFY`
		`+ ojy09D7/JptY82oR4f/VdKnfZLJcCViCb0wp8SD2NkDAudKg+K+7PD8HlTWklQQg`
		`+ TZdRXxVZKIJeU42aJDqnRbAhJd64YHyClhqut9F5LUmiP5qfLfNhkKDhNOwk2Blr`
		`+ BGBJkSd7wPyzcX4Mun/L6YspHjbeVMt9TD7HQlo+OOd2OjAHCx6pqwkXnzeLPEaE`
		`+ cPdQ1SHgrBViAxX3DNPubLP0Knw8XwFu96EuhHZgexE1W7bB4LFsJyXAc5k1PqPD`
		`+ CLsAauxmvI2OfI7opG/8wyxDvNgoPjG8fZNAgY0REqPC0JnTXChH31IxUmhNotH8`
		`+ tD3DDTZOHw05n5MwwUrEE9xiETVDfFQcMLfxZ9KLz+BC2g1t5LYublRgnCMNJzFg`
		`+ sNUMM02CphABzl/LCLnumr0eyQQ/weV4twEhLwSDmqLYHL0EdYW0Y3CnnU9vmYxQ`
		`+ cXKbstS71sEJJYBBmSBbf9GxkOY8BRNtwVwY0kPgxv1WqdVBiAFvfB+pyAsrax9B`
		`+ 3UeB7ZSwRD6JAhwEEAEKAAYFAlS25GwACgkQlbYYGy0z6ew92Q//ZA9/6piQtoW4`
		`+ PwP/1DtWGyKU8hwR+9FG669iPk/dAG+yoEJtFMOUpg/FUFmCX8Bc4oEHsCVyLxKt`
		`+ DcCVUIRcYNSFi5hTZaBEbwsOlDT37gtlfIIu34hhHRccKaLnN/N9gNMNw8wGh9xg`
		`+ Q/KtxZwcbk/bZIlDkKTJkFBRAekdEGAFDWb/AZOy+LQxS8ZAh1eWkfV0i8opmK9k`
		`+ gPXtLE0WSsqtYyGs58z+BFE9NH3tEUwK6jSvtuLwQl4UrICNbKthcpb8WwH6UXzb`
		`+ q3QNSYVOpf/cqRdBJA6bvb/ku/xyKVL08lGmxD9v1b137R7mafDAFPTsvH2Mt/0V`
		`+ YuhtWav3r1Bl9QksDxt2DTS8wiWDUBetGqOVdcw7vBrXPEWDNBmxeJXsiJ7zJlR+`
		`+ 9wrJOm6RV2+l1IPxu96EaPS+kTNBijKrhxb67bww8BTEWTd0wcdJmgWRkM8SIstp`
		`+ IKqd0L2TFYph2/NtrBhRg+DIEPJPpSTGsUMcCEXCZPQ+cIdlQKsWpk0tZ62DlvEl`
		`+ r7E+wgUSQolRfx5KrpZifiS2zQlhzdXv28CJhsVbLyw5fUAWUKIH/dCo5NKsNLk2`
		`+ Lc5DH9VWnFgxAAtW290FqeK/4ulMq7Vs1dQSwyHM2Ni3QqqeaiOrh8gbSY5CMLFN`
		`+ Y3HYRwuTYPa3AobsozCzBj0Zdf/6AFe5Ag0ETMQ5kgEQAL/FwKdjxgPxtSpgq1SM`
		`+ zgZtTTyLqhgGD3NZfadHWHYRIL38NDV3JeTA79Y2zj2dj7KQPDT+0aqeizTV2E3j`
		`+ P3iCQ53VOT4consBaQAgKexpptnS+T1DobtICFJ0GGzf0HRj6KO2zSOuOitWPWlU`
		`+ wbvX7M0LLI2+hqlx0jTPqbJFZ/Za6KTtbS6xdCPVUpUqYZQpokEZcwQmUp8Q+lGo`
		`+ JD2sNYCZyap63X/aAOgCGr2RXYddOH5e8vGzGW+mwtCv+WQ9Ay35mGqI5MqkbZd1`
		`+ Qbuv2b1647E/QEEucfRHVbJVKGGPpFMUJtcItyyIt5jo+r9CCL4Cs47dF/9/RNwu`
		`+ NvpvHXUyqMBQdWNZRMx4k/NGD/WviPi9m6mIMui6rOQsSOaqYdcUX4Nq2Orr3Oaz`
		`+ 2JPQdUfeI23iot1vK8hxvUCQTV3HfJghizN6spVl0yQOKBiE8miJRgrjHilH3hTb`
		`+ xoo42xDkNAq+CQo3QAm1ibDxKCDq0RcWPjcCRAN/Q5MmpcodpdKkzV0yGIS4g7s5`
		`+ frVrgV/kox2r4/Yxsr8K909+4H82AjTKGX/BmsQFCTAqBk6p7I0zxjIqJ/w33TZB`
		`+ Q0Pn4r3WIlUPafzY6a9/LAvN1fHRxf9SpCByJsszD03Qu5f5TB8gthsdnVmTo7jj`
		`+ iordEKMtw2aEMLzdWWTQ/TNVABEBAAGJAjwEGAEKACYCGwwWIQQ2kMJAzlG0Zw0w`
		`+ rRw47nV9aRhGIAUCYEt9YAUJFxeRzgAKCRA47nV9aRhGIMLtD/9HuKM4pngImcuz`
		`+ YwzQmdv4j26YYyh4jVsKEmVWTiRcehEgUIlrWkCu3qzd5NK+RetS7kJ8MPnzEUfj`
		`+ YbpdC6yrF6n1mSrZZ4VJMkV2ev37bIgXM+Wp1mCAGbjNxQnjn9RabT/gjIqmGuRn`
		`+ AP7RsSeOSuO/gO9h2Pteciz23ussTilB+8cTooQEQQZe6Kv/zukvL+ccSehLHsZ7`
		`+ qVfRUAmtt8nFkXXE+s8jfLfhqstaI2/RJu5witaPcXM8Mnz2E95aASAbZy0eQot9`
		`+ 0Pvf07n9yuC3tueTvzvlXx3h5U3yT44tIOmzANIQjay1TGdm+RBJ2ZYyhyLawlZ2`
		`+ NVUXXSp4QZZXPA0UWbF+pb7Q9cdKDNFVuvGBljuea0Yd0T2o+ibDq43HziX9ll+l`
		`+ SXk9mqvW1UcDOaxWrSsm1Gc1O9g3wqH5xHAhtY8GPh/7VgAawskPkmnlkMW6pYPy`
		`+ zibbeISJL1gd1jIT63y6aoVrtNoo+wYJm280ROflh4+5QOo6QJ+jm70fkXSG/qJ5`
		`+ a8/qCPTHkJc/rpkL6/TDQAJURi9RhDAC0gb40HtusbN1LZEA+i0cWTmYXap+DB4Y`
		`+ R4pApilpaG87M+VUokR4xpnx7vTb2MPa7Mdenvi9FEGnKXadmT8038vlfzz5GGUT`
		`+ MlVin9BQPTpdA+PpRiJvKJgVDeAFOg==`
		`+ =asTC`
		`+ -----END PGP PUBLIC KEY BLOCK-----`

sources

file modified

		`@@ -1,1 +1,3 @@`
		`SHA512 (xz-5.2.5.tar.xz) = 59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb`
		`+ SHA512 (xz-5.2.5.tar.xz.sig) = ea0218ac25843c8b44686871fba573809618f074465ec52f5966a082aeeb5e01bd646d462a56a6af7a786e1c69a05b135a6735ad1f3be27daecf3a2f9be865a5`
		`+ SHA512 (xzgrep-ZDI-CAN-16587.patch.sig) = 527c2702cf3ff3ddee6e49feb6d2305e4e9cd786f856b25f0cb5776df1341c5a960ba54c179cb27c507011e1223baf4a10de8a546199806ff96f531f62b9f136`

xz.spec

file modified

+18 -3

		`@@ -4,7 +4,7 @@`
		`Summary: LZMA compression utilities`
		`Name: xz`
		`Version: 5.2.5`
		`- Release: 8%{?dist}`
		`+ Release: 9%{?dist}`

		`# Scripts xz{grep,diff,less,more} and symlinks (copied from gzip) are`
		`# GPLv2+, binaries are Public Domain (linked against LGPL getopt_long but its`
		`@@ -12,11 +12,19 @@`
		`License: GPLv2+ and Public Domain`
		`# official upstream release`
		`Source0: https://tukaani.org/%{name}/%{name}-%{version}.tar.xz`
		`+ Source1: https://tukaani.org/%{name}/%{name}-%{version}.tar.xz.sig`
		`+ # https://tukaani.org/misc/lasse_collin_pubkey.txt`
		`+ Source2: gpgkey-3690C240CE51B4670D30AD1C38EE757D69184620.asc`
		`+ # Signature for Patch2`
		`+ Source3: https://tukaani.org/%{name}/xzgrep-ZDI-CAN-16587.patch.sig`

		`Source100: colorxzgrep.sh`
		`Source101: colorxzgrep.csh`

		`- Patch1: xz-5.2.5-enable_CET.patch`
		`+ Patch1: xz-5.2.5-enable_CET.patch`
		`+ # xzgrep: arbitrary-file-write vulnerability (CVE-2022-1271)`
		`+ # NOTE: Source3 contains the upstream signature for this patch`
		`+ Patch2: https://tukaani.org/%{name}/xzgrep-ZDI-CAN-16587.patch`

		`URL: https://tukaani.org/%{name}/`
		`Requires: %{name}-libs%{?_isa} = %{version}-%{release}`
		`@@ -26,8 +34,9 @@`
		`# have grepconf, but we're only concerned with F22 here.`
		`Requires: grep >= 2.20-5`

		`- BuildRequires: make`
		`+ BuildRequires: make`
		`BuildRequires: gcc`
		`+ BuildRequires: gnupg2`
		`BuildRequires: perl-interpreter`


		`@@ -83,6 +92,8 @@`


		`%prep`
		`+ %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'`
		`+ %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE3}' --data='%{PATCH2}'`
		`%autosetup -p1`


		`@@ -156,6 +167,10 @@`


		`%changelog`
		`+ * Sat Apr 16 2022 Todd Zullinger <tmz@pobox.com> - 5.2.5-9`
		`+ - verify upstream GPG signature`
		`+ - xzgrep: arbitrary-file-write vulnerability (#2073310, CVE-2022-1271)`
		`+`
		`* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 5.2.5-8`
		`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

xzgrep-ZDI-CAN-16587.patch

file added

+94

		`@@ -0,0 +1,94 @@`
		`+ From 69d1b3fc29677af8ade8dc15dba83f0589cb63d6 Mon Sep 17 00:00:00 2001`
		`+ From: Lasse Collin <lasse.collin@tukaani.org>`
		`+ Date: Tue, 29 Mar 2022 19:19:12 +0300`
		`+ Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).`
		`+`
		`+ Malicious filenames can make xzgrep to write to arbitrary files`
		`+ or (with a GNU sed extension) lead to arbitrary code execution.`
		`+`
		`+ xzgrep from XZ Utils versions up to and including 5.2.5 are`
		`+ affected. 5.3.1alpha and 5.3.2alpha are affected as well.`
		`+ This patch works for all of them.`
		`+`
		`+ This bug was inherited from gzip's zgrep. gzip 1.12 includes`
		`+ a fix for zgrep.`
		`+`
		`+ The issue with the old sed script is that with multiple newlines,`
		`+ the N-command will read the second line of input, then the`
		`+ s-commands will be skipped because it's not the end of the`
		`+ file yet, then a new sed cycle starts and the pattern space`
		`+ is printed and emptied. So only the last line or two get escaped.`
		`+`
		`+ One way to fix this would be to read all lines into the pattern`
		`+ space first. However, the included fix is even simpler: All lines`
		`+ except the last line get a backslash appended at the end. To ensure`
		`+ that shell command substitution doesn't eat a possible trailing`
		`+ newline, a colon is appended to the filename before escaping.`
		`+ The colon is later used to separate the filename from the grep`
		`+ output so it is fine to add it here instead of a few lines later.`
		`+`
		`+ The old code also wasn't POSIX compliant as it used \n in the`
		`+ replacement section of the s-command. Using \<newline> is the`
		`+ POSIX compatible method.`
		`+`
		`+ LC_ALL=C was added to the two critical sed commands. POSIX sed`
		`+ manual recommends it when using sed to manipulate pathnames`
		`+ because in other locales invalid multibyte sequences might`
		`+ cause issues with some sed implementations. In case of GNU sed,`
		`+ these particular sed scripts wouldn't have such problems but some`
		`+ other scripts could have, see:`
		`+`
		`+ info '(sed)Locale Considerations'`
		`+`
		`+ This vulnerability was discovered by:`
		`+ cleemy desu wayo working with Trend Micro Zero Day Initiative`
		`+`
		`+ Thanks to Jim Meyering and Paul Eggert discussing the different`
		`+ ways to fix this and for coordinating the patch release schedule`
		`+ with gzip.`
		`+ ---`
		`+ src/scripts/xzgrep.in \| 20 ++++++++++++--------`
		`+ 1 file changed, 12 insertions(+), 8 deletions(-)`
		`+`
		`+ diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in`
		`+ index b180936..e5186ba 100644`
		`+ --- a/src/scripts/xzgrep.in`
		`+ +++ b/src/scripts/xzgrep.in`
		`+ @@ -180,22 +180,26 @@ for i; do`
		`+ { test $# -eq 1 \|\| test $no_filename -eq 1; }; then`
		`+ eval "$grep"`
		`+ else`
		`+ + # Append a colon so that the last character will never be a newline`
		`+ + # which would otherwise get lost in shell command substitution.`
		`+ + i="$i:"`
		`+ +`
		`+ + # Escape & \ \| and newlines only if such characters are present`
		`+ + # (speed optimization).`
		`+ case $i in`
		`+ (*'`
		`+ '* \| '&' \| '\' \| '\|')`
		`+ - i=$(printf '%s\n' "$i" \|`
		`+ - sed '`
		`+ - $!N`
		`+ - $s/[&\\|]/\\&/g`
		`+ - $s/\n/\\n/g`
		`+ - ');;`
		`+ + i=$(printf '%s\n' "$i" \| LC_ALL=C sed 's/[&\\|]/\\&/g; $!s/$/\\/');;`
		`+ esac`
		`+ - sed_script="s\|^\|$i:\|"`
		`+ +`
		`+ + # $i already ends with a colon so don't add it here.`
		`+ + sed_script="s\|^\|$i\|"`
		`+`
		`+ # Fail if grep or sed fails.`
		`+ r=$(`
		`+ exec 4>&1`
		`+ - (eval "$grep" 4>&-; echo $? >&4) 3>&- \| sed "$sed_script" >&3 4>&-`
		`+ + (eval "$grep" 4>&-; echo $? >&4) 3>&- \|`
		`+ + LC_ALL=C sed "$sed_script" >&3 4>&-`
		`+ ) \|\| r=2`
		`+ exit $r`
		`+ fi >&3 5>&-`
		`+ --`
		`+ 2.35.1`
		`+`