From: Ralph Siemsen <ralph.siemsen@linaro.org>
Date: Sat, 9 Apr 2022 02:17:23 +0000 (-0400)
Subject: gzip: fix CVE-2022-1271
X-Git-Tag: yocto-3.1.16~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7f0696bc60409af215549d26621526c1a93a002;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

gzip: fix CVE-2022-1271

zgrep applied to a crafted file name with two or more newlines
can no longer overwrite an arbitrary, attacker-selected file.

Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
CVE: CVE-2022-1271

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---

diff --git a/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
new file mode 100644
index 00000000000..046c95df478
--- /dev/null
+++ b/meta/recipes-extended/gzip/gzip-1.10/CVE-2022-1271.patch
@@ -0,0 +1,45 @@
+From 7073a366ee71639a1902eefb7500e14acb920f64 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: [PATCH] zgrep: avoid exploit via multi-newline file names
+
+* zgrep.in: The issue with the old code is that with multiple
+newlines, the N-command will read the second line of input,
+then the s-commands will be skipped because it's not the end
+of the file yet, then a new sed cycle starts and the pattern
+space is printed and emptied. So only the last line or two get
+escaped. This patch makes sed read all lines into the pattern
+space and then do the escaping.
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c]
+CVE: CVE-2022-1271
+
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+---
+ zgrep.in | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index 3efdb52..d391291 100644
+--- a/zgrep.in
++++ b/zgrep.in
+@@ -222,9 +222,13 @@ do
+ '* | *'&'* | *'\'* | *'|'*)
+         i=$(printf '%s\n' "$i" |
+             sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
++              :start
++              $!{
++                N
++                b start
++              }
++              s/[&\|]/\\&/g
++              s/\n/\\n/g
+             ');;
+       esac
+       sed_script="s|^|$i:|"
diff --git a/meta/recipes-extended/gzip/gzip_1.10.bb b/meta/recipes-extended/gzip/gzip_1.10.bb
index 9778e687e1a..c558c21f101 100644
--- a/meta/recipes-extended/gzip/gzip_1.10.bb
+++ b/meta/recipes-extended/gzip/gzip_1.10.bb
@@ -4,6 +4,7 @@ LICENSE = "GPLv3+"
 
 SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
            file://run-ptest \
+           file://CVE-2022-1271.patch \
           "
 SRC_URI_append_class-target = " file://wrong-path-fix.patch"