diff options
Diffstat (limited to 'poky/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch')
-rw-r--r-- | poky/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/poky/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/poky/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch new file mode 100644 index 0000000000..046c95df47 --- /dev/null +++ b/poky/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch @@ -0,0 +1,45 @@ +From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001 +From: Lasse Collin <lasse.collin@tukaani.org> +Date: Mon, 4 Apr 2022 23:52:49 -0700 +Subject: [PATCH] zgrep: avoid exploit via multi-newline file names + +* zgrep.in: The issue with the old code is that with multiple +newlines, the N-command will read the second line of input, +then the s-commands will be skipped because it's not the end +of the file yet, then a new sed cycle starts and the pattern +space is printed and emptied. So only the last line or two get +escaped. This patch makes sed read all lines into the pattern +space and then do the escaping. + +This vulnerability was discovered by: +cleemy desu wayo working with Trend Micro Zero Day Initiative + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c] +CVE: CVE-2022-1271 + +Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> +--- + zgrep.in | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/zgrep.in b/zgrep.in +index 3efdb52..d391291 100644 +--- a/zgrep.in ++++ b/zgrep.in +@@ -222,9 +222,13 @@ do + '* | *'&'* | *'\'* | *'|'*) + i=$(printf '%s\n' "$i" | + sed ' +- $!N +- $s/[&\|]/\\&/g +- $s/\n/\\n/g ++ :start ++ $!{ ++ N ++ b start ++ } ++ s/[&\|]/\\&/g ++ s/\n/\\n/g + ');; + esac + sed_script="s|^|$i:|" |