ArchLinux: 202204-8: xz: arbitrary command execution
Summary
Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped.
Resolution
Upgrade to 5.2.5-3.
# pacman -Syu "xz>=5.2.5-3"
The problem has been fixed upstream but no release is available yet.
References
https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c https://savannah.gnu.org/forum/forum.php?forum_id=10157 https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig https://security.archlinux.org/CVE-2022-1271
Workaround
None.