Bug 1198062 (CVE-2022-1271)

Summary: VUL-0: CVE-2022-1271: gzip,xz: Fix escaping of malicious filenames (ZDI-CAN-16587)
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, jsegitz, meissner, msuchanek, rfrohl, suse-beta
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/328097/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-1271:8.4:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Patch
Other patches
one more patch
gzip full patches series [*/7]
XZ patch
gzip full patches series [*/7]

Description Gianluca Gabrielli 2022-04-05 07:17:41 UTC
From distros private ML
-----------------------

This is to inform you of an exploitable bug in both GNU gzip's zgrep and
xzutils' xzgrep.  Running those tools on attacker-chosen file names can
result in writing attacker-chosen content to arbitrary attacker-chosen
files.  Both the selected content and the target file names are embedded
in crafted multi-line file names. With GNU sed, the exploit also enables
remote code execution via its "e" command.

This sounds bad, but may be relatively hard to exploit, other than by
means of "Here's a zip archive, download it and use x?zgrep to search
through it" (note that these programs reject --recursive/-r).  Of course,
if there is some scripted process (esp. if root-run) that runs x?zgrep on
potentially malicious files, ...

These bugs were discovered by
cleemy desu wayo working with Trend Micro Zero Day Initiative.

Both gzip and xzutils have unpublished fixes and are prepared
to make releases, but we wanted to ensure that no one here would like a delay.

If you think these deserve a CVE number and provide one,
we'll be sure to mention that in the commit logs.

I've attached Lasse's xzgrep patch and a zgrep-poc.sh.

If I hear no objection by the end of Wednesday, April 6, I expect we'll
release both gzip and xzutils soon after.
Comment 14 Gianluca Gabrielli 2022-04-08 06:17:40 UTC
CVE-2022-1271 assigned
Comment 15 Gianluca Gabrielli 2022-04-08 08:30:00 UTC
public on osss
Comment 18 Gianluca Gabrielli 2022-04-08 10:09:39 UTC
Created attachment 857958 [details]
XZ patch

Same as the obsoleted one.I just re-upload it to have set a better name
Comment 19 Gianluca Gabrielli 2022-04-08 10:12:54 UTC
Created attachment 857959 [details]
gzip full patches series [*/7]

This is the full series, including the missing 7th patch which still need to be applied.
Comment 20 OBSbugzilla Bot 2022-04-09 13:20:04 UTC
This is an autogenerated message for OBS integration:
This bug (1198062) was mentioned in
https://build.opensuse.org/request/show/968010 Factory / gzip
Comment 21 Christian Boltz 2022-04-10 15:04:27 UTC
FYI: I submitted an AppArmor profile for zgrep and xzgrep that wil prevent exploiting this issue: https://build.opensuse.org/request/show/968253
Comment 23 Marcus Meissner 2022-04-11 13:54:29 UTC
*** Bug 1198333 has been marked as a duplicate of this bug. ***
Comment 24 Michal Suchanek 2022-04-11 13:56:29 UTC
Does this affect lzgrep/bzgrep?
Comment 25 Swamp Workflow Management 2022-04-12 16:21:19 UTC
SUSE-SU-2022:1160-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud Crowbar 8 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud 9 (src):    xz-5.0.5-6.7.1
SUSE OpenStack Cloud 8 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP5 (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    xz-5.0.5-6.7.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    xz-5.0.5-6.7.1
HPE Helion Openstack 8 (src):    xz-5.0.5-6.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-04-12 16:22:31 UTC
SUSE-SU-2022:1158-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    xz-5.2.3-150000.4.7.1
openSUSE Leap 15.3 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Server 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Retail Branch Server 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Manager Proxy 4.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server for SAP 15 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Server 15-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.2 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.1 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise Micro 5.0 (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    xz-5.2.3-150000.4.7.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    xz-5.2.3-150000.4.7.1
SUSE Enterprise Storage 7 (src):    xz-5.2.3-150000.4.7.1
SUSE Enterprise Storage 6 (src):    xz-5.2.3-150000.4.7.1
SUSE CaaS Platform 4.0 (src):    xz-5.2.3-150000.4.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-04-12 16:30:49 UTC
SUSE-SU-2022:14938-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xz-5.0.3-0.12.7.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    xz-5.0.3-0.12.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-04-17 19:18:46 UTC
SUSE-SU-2022:1250-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1177047,1180713,1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server for SAP 15 (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise Server 15-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    gzip-1.10-150000.4.12.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    gzip-1.10-150000.4.12.1
SUSE Enterprise Storage 6 (src):    gzip-1.10-150000.4.12.1
SUSE CaaS Platform 4.0 (src):    gzip-1.10-150000.4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-04-20 10:20:57 UTC
SUSE-SU-2022:1275-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud Crowbar 8 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud 9 (src):    gzip-1.6-9.6.2
SUSE OpenStack Cloud 8 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP3-BCL (src):    gzip-1.6-9.6.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    gzip-1.6-9.6.2
HPE Helion Openstack 8 (src):    gzip-1.6-9.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-04-20 10:25:53 UTC
SUSE-SU-2022:1272-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1198062
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    gzip-1.10-4.11.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Swamp Workflow Management 2022-05-10 16:18:01 UTC
SUSE-SU-2022:1617-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1198062,1198922
CVE References: CVE-2022-1271
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    gzip-1.10-150200.10.1
openSUSE Leap 15.3 (src):    gzip-1.10-150200.10.1
SUSE Manager Server 4.1 (src):    gzip-1.10-150200.10.1
SUSE Manager Retail Branch Server 4.1 (src):    gzip-1.10-150200.10.1
SUSE Manager Proxy 4.1 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.2 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.1 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise Micro 5.0 (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    gzip-1.10-150200.10.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    gzip-1.10-150200.10.1
SUSE Enterprise Storage 7 (src):    gzip-1.10-150200.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Gabriele Sonnu 2022-07-29 13:15:58 UTC
Done