- ------------------------------------------------------------------------- Debian Security Advisory DSA-5123-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2022 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xz-utils CVE ID : CVE-2022-1271 Debian Bug : 1009167 cleemy desu wayo reported that incorrect handling of filenames by xzgrep in xz-utils, the XZ-format compression utilities, can result in overwrite of arbitrary files or execution of arbitrary code if a file with a specially crafted filename is processed. For the oldstable distribution (buster), this problem has been fixed in version 5.2.4-1+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 5.2.5-2.1~deb11u1. We recommend that you upgrade your xz-utils packages. For the detailed security status of xz-utils please refer to its security tracker page at: https://security-tracker.debian.org/tracker/xz-utils Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: [email protected]