poky/meta/recipes-extended/xz/xz/CVE-2022-1271.patch - openbmc/openbmc - Gitiles

 From dc932a1e9c0d9f1db71be11a9b82496e3a72f112 Mon Sep 17 00:00:00 2001
 From: Lasse Collin <lasse.collin@tukaani.org>
 Date: Tue, 29 Mar 2022 19:19:12 +0300
 Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).

 Malicious filenames can make xzgrep to write to arbitrary files
 or (with a GNU sed extension) lead to arbitrary code execution.

 xzgrep from XZ Utils versions up to and including 5.2.5 are
 affected. 5.3.1alpha and 5.3.2alpha are affected as well.
 This patch works for all of them.

 This bug was inherited from gzip's zgrep. gzip 1.12 includes
 a fix for zgrep.

 The issue with the old sed script is that with multiple newlines,
 the N-command will read the second line of input, then the
 s-commands will be skipped because it's not the end of the
 file yet, then a new sed cycle starts and the pattern space
 is printed and emptied. So only the last line or two get escaped.

 One way to fix this would be to read all lines into the pattern
 space first. However, the included fix is even simpler: All lines
 except the last line get a backslash appended at the end. To ensure
 that shell command substitution doesn't eat a possible trailing
 newline, a colon is appended to the filename before escaping.
 The colon is later used to separate the filename from the grep
 output so it is fine to add it here instead of a few lines later.

 The old code also wasn't POSIX compliant as it used \n in the
 replacement section of the s-command. Using \<newline> is the
 POSIX compatible method.

 LC_ALL=C was added to the two critical sed commands. POSIX sed
 manual recommends it when using sed to manipulate pathnames
 because in other locales invalid multibyte sequences might
 cause issues with some sed implementations. In case of GNU sed,
 these particular sed scripts wouldn't have such problems but some
 other scripts could have, see:

     info '(sed)Locale Considerations'

 This vulnerability was discovered by:
 cleemy desu wayo working with Trend Micro Zero Day Initiative

 Thanks to Jim Meyering and Paul Eggert discussing the different
 ways to fix this and for coordinating the patch release schedule
 with gzip.

 Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
 CVE: CVE-2022-1271

 Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
 ---
  src/scripts/xzgrep.in | 20 ++++++++++++--------
  1 file changed, 12 insertions(+), 8 deletions(-)

 diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
 index 9db5c3a..f64dddb 100644
 --- a/src/scripts/xzgrep.in
 +++ b/src/scripts/xzgrep.in
 @@ -179,22 +179,26 @@ for i; do
           { test $# -eq 1 || test $no_filename -eq 1; }; then
        eval "$grep"
      else
 +      # Append a colon so that the last character will never be a newline
 +      # which would otherwise get lost in shell command substitution.
 +      i="$i:"
 +
 +      # Escape & \ | and newlines only if such characters are present
 +      # (speed optimization).
        case $i in
        (*'
  '* | *'&'* | *'\'* | *'|'*)
 -        i=$(printf '%s\n' "$i" |
 -            sed '
 -              $!N
 -              $s/[&\|]/\\&/g
 -              $s/\n/\\n/g
 -            ');;
 +        i=$(printf '%s\n' "$i" | LC_ALL=C sed 's/[&\|]/\\&/g; $!s/$/\\/');;
        esac
 -      sed_script="s|^|$i:|"
 +
 +      # $i already ends with a colon so don't add it here.
 +      sed_script="s|^|$i|"

        # Fail if grep or sed fails.
        r=$(
          exec 4>&1
 -        (eval "$grep" 4>&-; echo $? >&4) 3>&- | sed "$sed_script" >&3 4>&-
 +        (eval "$grep" 4>&-; echo $? >&4) 3>&- |
 +            LC_ALL=C sed "$sed_script" >&3 4>&-
        ) || r=2
        exit $r
      fi >&3 5>&-
	From dc932a1e9c0d9f1db71be11a9b82496e3a72f112 Mon Sep 17 00:00:00 2001
	From: Lasse Collin <lasse.collin@tukaani.org>
	Date: Tue, 29 Mar 2022 19:19:12 +0300
	Subject: [PATCH] xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587).

	Malicious filenames can make xzgrep to write to arbitrary files
	or (with a GNU sed extension) lead to arbitrary code execution.

	xzgrep from XZ Utils versions up to and including 5.2.5 are
	affected. 5.3.1alpha and 5.3.2alpha are affected as well.
	This patch works for all of them.

	This bug was inherited from gzip's zgrep. gzip 1.12 includes
	a fix for zgrep.

	The issue with the old sed script is that with multiple newlines,
	the N-command will read the second line of input, then the
	s-commands will be skipped because it's not the end of the
	file yet, then a new sed cycle starts and the pattern space
	is printed and emptied. So only the last line or two get escaped.

	One way to fix this would be to read all lines into the pattern
	space first. However, the included fix is even simpler: All lines
	except the last line get a backslash appended at the end. To ensure
	that shell command substitution doesn't eat a possible trailing
	newline, a colon is appended to the filename before escaping.
	The colon is later used to separate the filename from the grep
	output so it is fine to add it here instead of a few lines later.

	The old code also wasn't POSIX compliant as it used \n in the
	replacement section of the s-command. Using \<newline> is the
	POSIX compatible method.

	LC_ALL=C was added to the two critical sed commands. POSIX sed
	manual recommends it when using sed to manipulate pathnames
	because in other locales invalid multibyte sequences might
	cause issues with some sed implementations. In case of GNU sed,
	these particular sed scripts wouldn't have such problems but some
	other scripts could have, see:

	info '(sed)Locale Considerations'

	This vulnerability was discovered by:
	cleemy desu wayo working with Trend Micro Zero Day Initiative

	Thanks to Jim Meyering and Paul Eggert discussing the different
	ways to fix this and for coordinating the patch release schedule
	with gzip.

	Upstream-Status: Backport [https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch]
	CVE: CVE-2022-1271

	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
	---
	src/scripts/xzgrep.in \| 20 ++++++++++++--------
	1 file changed, 12 insertions(+), 8 deletions(-)

	diff --git a/src/scripts/xzgrep.in b/src/scripts/xzgrep.in
	index 9db5c3a..f64dddb 100644
	--- a/src/scripts/xzgrep.in
	+++ b/src/scripts/xzgrep.in
	@@ -179,22 +179,26 @@ for i; do
	{ test $# -eq 1 \|\| test $no_filename -eq 1; }; then
	eval "$grep"
	else
	+ # Append a colon so that the last character will never be a newline
	+ # which would otherwise get lost in shell command substitution.
	+ i="$i:"
	+
	+ # Escape & \ \| and newlines only if such characters are present
	+ # (speed optimization).
	case $i in
	(*'
	'* \| '&' \| '\' \| '\|')
	- i=$(printf '%s\n' "$i" \|
	- sed '
	- $!N
	- $s/[&\\|]/\\&/g
	- $s/\n/\\n/g
	- ');;
	+ i=$(printf '%s\n' "$i" \| LC_ALL=C sed 's/[&\\|]/\\&/g; $!s/$/\\/');;
	esac
	- sed_script="s\|^\|$i:\|"
	+
	+ # $i already ends with a colon so don't add it here.
	+ sed_script="s\|^\|$i\|"

	# Fail if grep or sed fails.
	r=$(
	exec 4>&1
	- (eval "$grep" 4>&-; echo $? >&4) 3>&- \| sed "$sed_script" >&3 4>&-
	+ (eval "$grep" 4>&-; echo $? >&4) 3>&- \|
	+ LC_ALL=C sed "$sed_script" >&3 4>&-
	) \|\| r=2
	exit $r
	fi >&3 5>&-