From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)
Date: Mon, 11 Apr 2022 11:16:05 +0100 [thread overview]
Message-ID: <D3C39214-261D-4B3D-A3F7-94E0C9281D4B@ipfire.org> (raw)
In-Reply-To: <beb3e7ba-5b0c-5e9c-e08a-a2f6e563720b@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]
Thank you!
> On 11 Apr 2022, at 10:57, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>
> Hi Michael,
>
> On 11/04/2022 10:13, Michael Tremer wrote:
>> Who would like to grab this one and update XZ?
>>
> I'll pick it up.
>
>
> Regards,
>
> Adolf.
>
>>> Begin forwarded message:
>>>
>>> *From: *Lasse Collin <lasse.collin(a)tukaani.org>
>>> *Subject: **[xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)*
>>> *Date: *7 April 2022 at 18:10:50 BST
>>> *To: *xz-announce(a)tukaani.org
>>>
>>> Malicious filenames can make xzgrep to write to arbitrary files
>>> or (with a GNU sed extension) lead to arbitrary code execution.
>>>
>>> xzgrep from XZ Utils versions up to and including 5.2.5 are
>>> affected. 5.3.1alpha and 5.3.2alpha are affected as well.
>>> This patch works for all of them.
>>>
>>> This bug was inherited from gzip's zgrep. gzip 1.12 includes
>>> a fix for zgrep.
>>>
>>> This vulnerability was discovered by:
>>> cleemy desu wayo working with Trend Micro Zero Day Initiative
>>>
>>> The patch and signature are available here:
>>>
>>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
>>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
>>>
>>> It is also linked from the XZ Utils home page <https://tukaani.org/xz/>.
>>>
>>> --
>>> Lasse Collin
>>>
>>
prev parent reply other threads:[~2022-04-11 10:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <08089DC1-FDE5-4B1B-8DFA-AA2234CF24B3@ipfire.org>
2022-04-11 9:57 ` Fwd: " Adolf Belka
2022-04-11 10:16 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D3C39214-261D-4B3D-A3F7-94E0C9281D4B@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox