Re: Fwd: [xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Fwd: [xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)
Date: Mon, 11 Apr 2022 11:57:25 +0200	[thread overview]
Message-ID: <beb3e7ba-5b0c-5e9c-e08a-a2f6e563720b@ipfire.org> (raw)
In-Reply-To: <08089DC1-FDE5-4B1B-8DFA-AA2234CF24B3@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

Hi Michael,

On 11/04/2022 10:13, Michael Tremer wrote:
> Who would like to grab this one and update XZ?
>
I'll pick it up.


Regards,

Adolf.

>> Begin forwarded message:
>>
>> *From: *Lasse Collin <lasse.collin(a)tukaani.org>
>> *Subject: **[xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)*
>> *Date: *7 April 2022 at 18:10:50 BST
>> *To: *xz-announce(a)tukaani.org
>>
>> Malicious filenames can make xzgrep to write to arbitrary files
>> or (with a GNU sed extension) lead to arbitrary code execution.
>>
>> xzgrep from XZ Utils versions up to and including 5.2.5 are
>> affected. 5.3.1alpha and 5.3.2alpha are affected as well.
>> This patch works for all of them.
>>
>> This bug was inherited from gzip's zgrep. gzip 1.12 includes
>> a fix for zgrep.
>>
>> This vulnerability was discovered by:
>> cleemy desu wayo working with Trend Micro Zero Day Initiative
>>
>> The patch and signature are available here:
>>
>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
>> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
>>
>> It is also linked from the XZ Utils home page <https://tukaani.org/xz/>.
>>
>> -- 
>> Lasse Collin
>>
>

next      parent reply	other threads:[~2022-04-11  9:57 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <08089DC1-FDE5-4B1B-8DFA-AA2234CF24B3@ipfire.org>
2022-04-11  9:57 ` Adolf Belka [this message]
2022-04-11 10:16   ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=beb3e7ba-5b0c-5e9c-e08a-a2f6e563720b@ipfire.org \
    --to=adolf.belka@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox