From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587) Date: Mon, 11 Apr 2022 11:16:05 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3580877260912049463==" List-Id: --===============3580877260912049463== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Thank you! > On 11 Apr 2022, at 10:57, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 11/04/2022 10:13, Michael Tremer wrote: >> Who would like to grab this one and update XZ? >>=20 > I'll pick it up. >=20 >=20 > Regards, >=20 > Adolf. >=20 >>> Begin forwarded message: >>>=20 >>> *From: *Lasse Collin >>> *Subject: **[xz-announce] xzgrep security fix for XZ Utils <=3D 5.2.5, 5.= 3.2alpha (ZDI-CAN-16587)* >>> *Date: *7 April 2022 at 18:10:50 BST >>> *To: *xz-announce(a)tukaani.org >>>=20 >>> Malicious filenames can make xzgrep to write to arbitrary files >>> or (with a GNU sed extension) lead to arbitrary code execution. >>>=20 >>> xzgrep from XZ Utils versions up to and including 5.2.5 are >>> affected. 5.3.1alpha and 5.3.2alpha are affected as well. >>> This patch works for all of them. >>>=20 >>> This bug was inherited from gzip's zgrep. gzip 1.12 includes >>> a fix for zgrep. >>>=20 >>> This vulnerability was discovered by: >>> cleemy desu wayo working with Trend Micro Zero Day Initiative >>>=20 >>> The patch and signature are available here: >>>=20 >>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch >>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig >>>=20 >>> It is also linked from the XZ Utils home page . >>>=20 >>> --=20 >>> Lasse Collin >>>=20 >>=20 --===============3580877260912049463==--