An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.
The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs that only arise after the modification.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2073310 | issue tracking third party advisory |
| https://www.openwall.com/lists/oss-security/2022/04/07/8 | mailing list third party advisory patch |
| https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html | mailing list patch vendor advisory |
| https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch | third party advisory patch |
| https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 | broken link |
| https://security-tracker.debian.org/tracker/CVE-2022-1271 | third party advisory |
| https://access.redhat.com/security/cve/CVE-2022-1271 | third party advisory |
| https://security.gentoo.org/glsa/202209-01 | third party advisory vendor advisory |
| https://security.netapp.com/advisory/ntap-20220930-0006/ | third party advisory |