=====================================================================

                            CERT-Renater

                  Note d'Information No. 2021/VULN163
_____________________________________________________________________

DATE                : 15/04/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running xzgrep versions prior to
                               5.2.5, 5.3.2alpha.

=====================================================================
https://www.mail-archive.com/xz-devel@tukaani.org/msg00551.html
_____________________________________________________________________

[xz-devel] xzgrep security fix for XZ Utils <= 5.2.5, 5.3.2alpha 
(ZDI-CAN-16587)
Lasse Collin Thu, 07 Apr 2022 10:11:17 -0700

Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.

xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This patch works for all of them.

This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.

This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative

The patch and signature are available here:

     https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch
     https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch.sig

It is also linked from the XZ Utils home page <https://tukaani.org/xz/>.


Lasse Collin



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================