Bug 30261

Summary: xz, gzip new security issue CVE-2022-1271
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: xz-5.2.5-2.mga8.src.rpm, gzip-1.10-4.mga8.src.rpm CVE: CVE-2022-1271
Status comment:

Description David Walser 2022-04-08 18:46:13 CEST 
A security issue in the zgrep and xzgrep commands has been announced on April 7:
https://www.openwall.com/lists/oss-security/2022/04/08/3

The issue is fixed upstream in gzip 1.12 and a patch is linked from the message above for xz.

Mageia 8 is also affected.
David Walser 2022-04-08 18:46:30 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream

Comment 1 Lewis Smith 2022-04-08 21:14:56 CEST 
Stig has just updated gzip in Cauldron to 1.12, which makes it sensible to assign this bug to you.

Assignee: bugsquad => smelror

Comment 2 David Walser 2022-04-11 16:14:08 CEST 
Debian-LTS has issued advisories for this on April 10:
https://www.debian.org/lts/security/2022/dla-2976
https://www.debian.org/lts/security/2022/dla-2977
Comment 3 David Walser 2022-04-14 00:20:39 CEST 
Ubuntu has issued advisories for this today (April 13):
https://ubuntu.com/security/notices/USN-5378-1
https://ubuntu.com/security/notices/USN-5378-2
Comment 4 David Walser 2022-04-19 17:32:19 CEST 
Debian has issued advisories for this on April 18:
https://www.debian.org/security/2022/dsa-5122
https://www.debian.org/security/2022/dsa-5123
Comment 5 Nicolas Salguero 2022-04-20 09:59:31 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

zgrep, xzgrep: arbitrary-file-write vulnerability. (CVE-2022-1271)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
https://www.openwall.com/lists/oss-security/2022/04/08/3
https://www.debian.org/lts/security/2022/dla-2976
https://www.debian.org/lts/security/2022/dla-2977
https://ubuntu.com/security/notices/USN-5378-1
https://ubuntu.com/security/notices/USN-5378-2
https://www.debian.org/security/2022/dsa-5122
https://www.debian.org/security/2022/dsa-5123
========================

Updated packages in core/updates_testing:
========================
gzip-1.10-4.1.mga8
lib(64)lzma5-5.2.5-2.1.mga8
lib(64)lzma-devel-5.2.5-2.1.mga8
xz-5.2.5-2.1.mga8

from SRPMS:
gzip-1.10-4.1.mga8.src.rpm
xz-5.2.5-2.1.mga8.src.rpm

Status comment: Patches available from upstream => (none)
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Source RPM: xz-5.2.5-4.mga9.src.rpm, gzip-1.10-4.mga8.src.rpm => xz-5.2.5-2.mga8.src.rpm, gzip-1.10-4.mga8.src.rpm
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2022-1271
Version: Cauldron => 8
Assignee: smelror => qa-bugs

Comment 6 Brian Rockwell 2022-04-21 19:53:07 CEST 
The following 3 packages are going to be installed:

- gzip-1.10-4.1.mga8.x86_64
- lib64lzma5-5.2.5-2.1.mga8.x86_64
- xz-5.2.5-2.1.mga8.x86_64


-- afterwards 

I zipped a text file - no issues
zipped an avi file and restored it - no issues

no a lot in descriptions of sec-flaw so validating it works

gzip does - will see about testing xz

CC: (none) => brtians1

Comment 7 Brian Rockwell 2022-04-21 20:35:09 CEST 
repeated avi compression test with xz

Videos]$ xz mxx.avi

then decompressed it

xz -d mxx.avi.xz


video still works size matches.

Whiteboard: (none) => MGA8-64-OK

Comment 8 Thomas Andrews 2022-04-22 14:10:28 CEST 
Validating. Advisory in Comment 5.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-23 17:57:19 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 9 Mageia Robot 2022-04-23 19:24:19 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0149.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED