A security issue in the zgrep and xzgrep commands has been announced on April 7: https://www.openwall.com/lists/oss-security/2022/04/08/3 The issue is fixed upstream in gzip 1.12 and a patch is linked from the message above for xz. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from upstream
Stig has just updated gzip in Cauldron to 1.12, which makes it sensible to assign this bug to you.
Assignee: bugsquad => smelror
Debian-LTS has issued advisories for this on April 10: https://www.debian.org/lts/security/2022/dla-2976 https://www.debian.org/lts/security/2022/dla-2977
Ubuntu has issued advisories for this today (April 13): https://ubuntu.com/security/notices/USN-5378-1 https://ubuntu.com/security/notices/USN-5378-2
Debian has issued advisories for this on April 18: https://www.debian.org/security/2022/dsa-5122 https://www.debian.org/security/2022/dsa-5123
Suggested advisory: ======================== The updated packages fix a security vulnerability: zgrep, xzgrep: arbitrary-file-write vulnerability. (CVE-2022-1271) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 https://www.openwall.com/lists/oss-security/2022/04/08/3 https://www.debian.org/lts/security/2022/dla-2976 https://www.debian.org/lts/security/2022/dla-2977 https://ubuntu.com/security/notices/USN-5378-1 https://ubuntu.com/security/notices/USN-5378-2 https://www.debian.org/security/2022/dsa-5122 https://www.debian.org/security/2022/dsa-5123 ======================== Updated packages in core/updates_testing: ======================== gzip-1.10-4.1.mga8 lib(64)lzma5-5.2.5-2.1.mga8 lib(64)lzma-devel-5.2.5-2.1.mga8 xz-5.2.5-2.1.mga8 from SRPMS: gzip-1.10-4.1.mga8.src.rpm xz-5.2.5-2.1.mga8.src.rpm
Status comment: Patches available from upstream => (none)Whiteboard: MGA8TOO => (none)Status: NEW => ASSIGNEDSource RPM: xz-5.2.5-4.mga9.src.rpm, gzip-1.10-4.mga8.src.rpm => xz-5.2.5-2.mga8.src.rpm, gzip-1.10-4.mga8.src.rpmCC: (none) => nicolas.salgueroCVE: (none) => CVE-2022-1271Version: Cauldron => 8Assignee: smelror => qa-bugs
The following 3 packages are going to be installed: - gzip-1.10-4.1.mga8.x86_64 - lib64lzma5-5.2.5-2.1.mga8.x86_64 - xz-5.2.5-2.1.mga8.x86_64 -- afterwards I zipped a text file - no issues zipped an avi file and restored it - no issues no a lot in descriptions of sec-flaw so validating it works gzip does - will see about testing xz
CC: (none) => brtians1
repeated avi compression test with xz Videos]$ xz mxx.avi then decompressed it xz -d mxx.avi.xz video still works size matches.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 5.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0149.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED