CVE-2022-1271

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

References

Affected packages

Git / git.tukaani.org/xz.git

Affected ranges

Type

GIT

Repo

https://git.tukaani.org/xz.git

Events

Introduced

Fixed

2327a461e1afce862c22269b80d3517801103c1b

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.2.5"
        }
    ]
}

Affected versions

v4.*

v4.42.2alpha

v4.999.3alpha

v4.999.5alpha

v4.999.7beta

v4.999.8beta

v4.999.9beta

v5.*

v5.0.0

v5.1.0alpha

v5.1.1alpha

v5.1.2alpha

v5.1.3alpha

v5.1.4beta

v5.2.0

v5.2.1

v5.2.2

v5.2.3

v5.2.4

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.12"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.0.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-1271.json"