Lucene search

K
archlinuxArchLinuxASA-202204-8
HistoryApr 07, 2022 - 12:00 a.m.

[ASA-202204-8] xz: arbitrary command execution

2022-04-0700:00:00
security.archlinux.org
27

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.3%

Arch Linux Security Advisory ASA-202204-8

Severity: High
Date : 2022-04-07
CVE-ID : CVE-2022-1271
Package : xz
Type : arbitrary command execution
Remote : No
Link : https://security.archlinux.org/AVG-2665

Summary

The package xz before version 5.2.5-3 is vulnerable to arbitrary
command execution.

Resolution

Upgrade to 5.2.5-3.

pacman -Syu “xz>=5.2.5-3”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

Malicious filenames with two or more newlines can make zgrep and xzgrep
to write to arbitrary files or (with a GNU sed extension) lead to
arbitrary code execution. The issue with the old code is that with
multiple newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it’s not the end of the
file yet, then a new sed cycle starts and the pattern space is printed
and emptied. So only the last line or two get escaped.

Impact

An attacker is able to provide malicious filenames to write to
arbitrary files or execute arbitrary commands on the affected host.

References

https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=dc9740df61e575e8c3148b7bd3c147a81ea00c7c
https://savannah.gnu.org/forum/forum.php?forum_id=10157
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig
https://security.archlinux.org/CVE-2022-1271

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyxz< 5.2.5-3UNKNOWN

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.005 Low

EPSS

Percentile

76.3%

Related for ASA-202204-8