Stay Secure with the Latest Linux Advisories

security advisorysecurity issueFedora

Fedora 35: FEDORA-2022-6746dde2a0 Moderate: zgrep Arbitrary Overwrite

zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. reproducer: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e touch pwned\n#.gz')" $ zgrep foo *.gz (the unfixed version of zgrep creates the file called pwned). --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2022-6746dde2a0 2022-04-20 19:09:32.222254 --------------------------------------------------------------------------------Name : gzip Product : Fedora 35 Version : 1.10 Release : 6.fc35 URL : https://www.gzip.org/ Summary : GNU data compression program Description : The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension. Gzip should be installed on your system, because it is a very commonly used data compression program. --------------------------------------------------------------------------------Update Information: zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. reproducer: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e touch pwned\n#.gz')" $ zgrep foo *.gz (the unfixed version of zgrep creates the file called pwned) --------------------------------------------------------------------------------ChangeLog: * Wed Apr 13 2022 Jakub Martisko - 1.10-6 - fix an arbitrary-file-write vulnerability in zgrep Resolves: CVE-2022-1271 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-6746dde2a0' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be foundat https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure . The zgrep utility from the gzip package has fixed a significant file overwriting vulnerability in Fedora 35, enhancing system security and integrity. gzip update,Fedora security,zgrep fix,security update,dnft advisory. . Severity: Important. LinuxSecurity.com Team

Apr 20, 2022 •Important Fedora