Hi Michael,
On 11/04/2022 10:13, Michael Tremer wrote:
Who would like to grab this one and update XZ?
I'll pick it up.
Regards,
Adolf.
Begin forwarded message:
*From: *Lasse Collin lasse.collin@tukaani.org *Subject: **[xz-announce] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha (ZDI-CAN-16587)* *Date: *7 April 2022 at 18:10:50 BST *To: *xz-announce@tukaani.org
Malicious filenames can make xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution.
xzgrep from XZ Utils versions up to and including 5.2.5 are affected. 5.3.1alpha and 5.3.2alpha are affected as well. This patch works for all of them.
This bug was inherited from gzip's zgrep. gzip 1.12 includes a fix for zgrep.
This vulnerability was discovered by: cleemy desu wayo working with Trend Micro Zero Day Initiative
The patch and signature are available here:
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
It is also linked from the XZ Utils home page https://tukaani.org/xz/.
-- Lasse Collin