Your message dated Sun, 10 Apr 2022 19:19:37 +0000
with message-id <[email protected]>
and subject line Bug#1009167: fixed in xz-utils 5.2.5-2.1
has caused the Debian Bug report #1009167,
regarding xz-utils: CVE-2022-1271: xzgrep: arbitrary-file-write vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1009167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009167
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: xz-utils
Version: 5.2.5-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: clone -1 -2
Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write
vulnerability
Control: reassign -2 src:gzip 1.10-4
Control: found -2 1.9-3
Hi,
The following vulnerability was published for xz-utils and gzip, both
have to date assigned the same CVE, and cloning this bug as well for
one for gzip.
CVE-2022-1271[0]:
| zgrep, xzgrep: arbitrary-file-write vulnerability
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-1271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
[1] https://www.openwall.com/lists/oss-security/2022/04/07/8
[2]
https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6
[3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: xz-utils
Source-Version: 5.2.5-2.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
xz-utils, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated xz-utils package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Apr 2022 13:31:29 +0200
Source: xz-utils
Architecture: source
Version: 5.2.5-2.1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1009167
Changes:
xz-utils (5.2.5-2.1) unstable; urgency=medium
.
* Non-maintainer upload.
* xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587)
(CVE-2022-1271) (Closes: #1009167)
Checksums-Sha1:
9fdfa1a890eb8f69b2025251ef3fe2b172c03655 2402 xz-utils_5.2.5-2.1.dsc
69f8b1d4badfb933756651e3cd38bbdec223a6c5 34916 xz-utils_5.2.5-2.1.debian.tar.xz
Checksums-Sha256:
338b5ec72d0d48a5fbb004926ebac8850eecd9626e38f6b50960ed975513b081 2402
xz-utils_5.2.5-2.1.dsc
24a1950b365b0922c3ef7f1475930bbcc64cdef04929f081b8ad5e2628ef2413 34916
xz-utils_5.2.5-2.1.debian.tar.xz
Files:
24c18fcb7164ea54925855d42e9efbb3 2402 utils optional xz-utils_5.2.5-2.1.dsc
fef1f22e19e49cfda82b66cb42a7dfc9 34916 utils optional
xz-utils_5.2.5-2.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJSwktfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuE8P/2p8oQStrb9m1K507ZVY0xIUU4pN5A3s
+bNeNbknSTxjYvw14FTyGNbHJYen1gTf3GFw4YOOjW7XdmSl2r1vqz05j7hPGE4o
JE+BMTLBaKPVLDCQ05eQptUBI3VxH0v4v6C0ZEVM4rCP+MPl5C7ViffsX0ST80rk
a9eODzfdw+3pT9lTYpTYf+ONAQznXZ34/fWFnKFAPpFXY89iWG3zth6Bf8JjWlJ6
3zgai4nEl5yZtAZzzelcykEo1qzkzTbiThWzynyJ9qxhRRV6FuIRzKqjFlJJSGZE
RhUhYexvvZulY3UDlmDmrQn+sCHHlcEKF0MoD7Ifuts+ylEdc2+2f6kQKVwR/ZAe
F2k4ck9UrFeFmoTasI6Jdo9OJBqFHFReTZftCsq2wyXiKpZhS4QpSQFiL83ggy1v
RAkoqNpEHHm+FK1q8Dl4yUcBjjEX23Y3+jc94dmTOi8ZsurpEa4D5YqhLYsrb51K
aiMnDOZiYHQJWLgzmau1hMPZpYbAu8zPcQeRWkS+Lz/oiRkZn2Mgjt731pAbHyRI
NI19RQFwi5AEZsqlgQAJqCKsBQxgUqx0+vG9HQu9+/dKUgh0ZdpFf8rgh77iLKog
nZNZqN4eStJoyxBoutvJ8oA37IOD2D3wUUdPyX1cdxByirCLItFD3sXBxkRDj+y8
EYPemU5hIqE/
=NDmQ
-----END PGP SIGNATURE-----
--- End Message ---
