packages/gzip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!21 fix CVE-2022-1271

Browse Source 
From: @tong_1001 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6
This commit is contained in:
openeuler-ci-bot 2022-04-21 01:38:23 +00:00 committed by Gitee
commit 26f368609c
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 175 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-0001-CVE-2022-1271.patch Normal file
View File

@ -0,0 +1,43 @@
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: avoid exploit via multi-newline file names
* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.
This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
---
zgrep.in | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index 345dae3..bdf7da2 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
'* | *'&'* | *'\'* | *'|'*)
i=$(printf '%s\n' "$i" |
sed '
- $!N
- $s/[&\|]/\\&/g
- $s/\n/\\n/g
+ :start
+ $!{
+ N
+ b start
+ }
+ s/[&\|]/\\&/g
+ s/\n/\\n/g
');;
esac
sed_script="s|^|$i:|"
--
1.8.3.1

77
backport-0002-CVE-2022-1271.patch Normal file
View File

@ -0,0 +1,77 @@
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@fb.com>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: add NEWS and tests for this exploitable bug
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
* tests/Makefile.am (TESTS): Add it.
* NEWS: Mention the exploit.
The bug appears to have been present since the beginning.
---
tests/Makefile.am | 1 +
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+)
create mode 100755 tests/zgrep-abuse
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 18e7c8a..28a1828 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -36,6 +36,7 @@ TESTS = \
z-suffix \
zdiff \
zgrep-f \
+ zgrep-abuse \
zgrep-context \
zgrep-signal \
znew-k
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
new file mode 100755
index 0000000..3e8a8f9
--- /dev/null
+++ b/tests/zgrep-abuse
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Show how zgrep applied to a crafted file name may overwrite
+# a selected file with chosen content. Fixed in gzip-1.12.
+
+# Copyright (C) 2022 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
+# limit so don't run it by default.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ..
+
+: > z || framework_failure_
+echo test |gzip > 'z|
+p
+1s|.*|chosen-content|
+1w hacked
+etouch .\x2fhacked2
+d
+#
+#' || framework_failure_
+
+fail=0
+
+zgrep test z* > /dev/null
+
+# Before the fix, each of these would be created.
+test -f hacked && fail=1
+test -f hacked2 && fail=1
+
+Exit $fail
--
1.8.3.1

46
backport-0003-CVE-2022-1271.patch Normal file
View File

@ -0,0 +1,46 @@
From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: port to POSIX sed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* zgrep.in (res): When escaping the file name do not rely on GNU
seds extension to POSIX with respect to s/.../\n/. Instead, use
features that should also work with AIX and/or Solaris sed. This is
simpler anyway, and would have prevented the recently-fixed bug.
---
zgrep.in | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
diff --git a/zgrep.in b/zgrep.in
index bdf7da2..6a16dd1 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -220,18 +220,11 @@ do
case $i in
(*'
'* | *'&'* | *'\'* | *'|'*)
- i=$(printf '%s\n' "$i" |
- sed '
- :start
- $!{
- N
- b start
- }
- s/[&\|]/\\&/g
- s/\n/\\n/g
- ');;
+ icolon=$(printf '%s\n' "$i:" |
+ sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
+ (*) icolon="$i:";;
esac
- sed_script="s|^|$i:|"
+ sed_script="s|^|$icolon|"
# Fail if grep or sed fails.
r=$(
--
1.8.3.1

11
gzip.spec
View File

@ -1,6 +1,6 @@
Name: gzip
Version: 1.11
Release: 2
Release: 3
Summary: A data compression utility
License: GPLv3
@ -15,6 +15,10 @@ Patch6003: zdiff-fix-another-arg-handling-bug.patch
Patch9000: fix-verbose-disable.patch
Patch9001: performance-neoncrc32-and-prfm.patch
Patch6004: backport-0001-CVE-2022-1271.patch
Patch6005: backport-0002-CVE-2022-1271.patch
Patch6006: backport-0003-CVE-2022-1271.patch
BuildRequires: gcc texinfo less autoconf automake
Requires: coreutils
Conflicts: filesystem < 3
@ -63,6 +67,9 @@ make check
%{_mandir}/man1/*
%changelog
* Wed Apr 20 2022 shixuantong <shixuantong@h-partners.com> - 1.11-3
- fix CVE-2022-1271
* Fri Apr 01 2022 tianwei<tianwei12@h-partners.com> - 1.11-2
- backport bugfix patches from upstream and fix build failure in OBS
@ -76,7 +83,7 @@ make check
- DESC: fix testsuite fail
* Fri Apr 24 2020 BruceGW <gyl93216@163.com> - 1.10-1
* update upstream to 1.10
- update upstream to 1.10
* Fri Jan 17 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.9-18
- Type:performance improve