Hi Michael, On 11/04/2022 10:13, Michael Tremer wrote: > Who would like to grab this one and update XZ? > I'll pick it up. Regards, Adolf. >> Begin forwarded message: >> >> *From: *Lasse Collin >> *Subject: **[xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)* >> *Date: *7 April 2022 at 18:10:50 BST >> *To: *xz-announce(a)tukaani.org >> >> Malicious filenames can make xzgrep to write to arbitrary files >> or (with a GNU sed extension) lead to arbitrary code execution. >> >> xzgrep from XZ Utils versions up to and including 5.2.5 are >> affected. 5.3.1alpha and 5.3.2alpha are affected as well. >> This patch works for all of them. >> >> This bug was inherited from gzip's zgrep. gzip 1.12 includes >> a fix for zgrep. >> >> This vulnerability was discovered by: >> cleemy desu wayo working with Trend Micro Zero Day Initiative >> >> The patch and signature are available here: >> >> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch >> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig >> >> It is also linked from the XZ Utils home page . >> >> -- >> Lasse Collin >> >