From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: Fwd: [xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587) Date: Mon, 11 Apr 2022 11:57:25 +0200 Message-ID: In-Reply-To: <08089DC1-FDE5-4B1B-8DFA-AA2234CF24B3@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5750661712476400703==" List-Id: --===============5750661712476400703== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 11/04/2022 10:13, Michael Tremer wrote: > Who would like to grab this one and update XZ? > I'll pick it up. Regards, Adolf. >> Begin forwarded message: >> >> *From: *Lasse Collin >> *Subject: **[xz-announce] xzgrep security fix for XZ Utils <=3D 5.2.5, 5.3= .2alpha (ZDI-CAN-16587)* >> *Date: *7 April 2022 at 18:10:50 BST >> *To: *xz-announce(a)tukaani.org >> >> Malicious filenames can make xzgrep to write to arbitrary files >> or (with a GNU sed extension) lead to arbitrary code execution. >> >> xzgrep from XZ Utils versions up to and including 5.2.5 are >> affected. 5.3.1alpha and 5.3.2alpha are affected as well. >> This patch works for all of them. >> >> This bug was inherited from gzip's zgrep. gzip 1.12 includes >> a fix for zgrep. >> >> This vulnerability was discovered by: >> cleemy desu wayo working with Trend Micro Zero Day Initiative >> >> The patch and signature are available here: >> >> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch >> https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig >> >> It is also linked from the XZ Utils home page . >> >> --=20 >> Lasse Collin >> > --===============5750661712476400703==--