diff options
author | Jim Meyering <meyering@fb.com> | 2022-04-04 23:52:49 -0700 |
---|---|---|
committer | Jim Meyering <meyering@fb.com> | 2022-04-07 09:28:24 -0700 |
commit | d74a30d45c6834c8e9f87115197370fe86656d81 (patch) | |
tree | 73dd415c989912a0bc9299e1441eba98ad07c846 | |
parent | dc9740df61e575e8c3148b7bd3c147a81ea00c7c (diff) | |
download | gzip-d74a30d45c6834c8e9f87115197370fe86656d81.tar.gz |
zgrep: add NEWS and tests for this exploitable bug
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
* tests/Makefile.am (TESTS): Add it.
* NEWS: Mention the exploit.
The bug appears to have been present since the beginning.
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | tests/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/zgrep-abuse | 41 |
3 files changed, 45 insertions, 0 deletions
@@ -16,6 +16,9 @@ GNU gzip NEWS -*- outline -*- ** Bug fixes + zgrep applied to a crafted file name with two or more newlines + can no longer overwrite an arbitrary, attacker-selected file. + 'zdiff -C 5' no longer misbehaves by treating '5' as a file name. Configure-time options like --program-prefix now work. diff --git a/tests/Makefile.am b/tests/Makefile.am index d09672e..5f148d6 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -36,6 +36,7 @@ TESTS = \ z-suffix \ zdiff \ zgrep-f \ + zgrep-abuse \ zgrep-context \ zgrep-signal \ znew-k diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse new file mode 100755 index 0000000..3e8a8f9 --- /dev/null +++ b/tests/zgrep-abuse @@ -0,0 +1,41 @@ +#!/bin/sh +# Show how zgrep applied to a crafted file name may overwrite +# a selected file with chosen content. Fixed in gzip-1.12. + +# Copyright (C) 2022 Free Software Foundation, Inc. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <https://www.gnu.org/licenses/>. +# limit so don't run it by default. + +. "${srcdir=.}/init.sh"; path_prepend_ .. + +: > z || framework_failure_ +echo test |gzip > 'z| +p +1s|.*|chosen-content| +1w hacked +etouch .\x2fhacked2 +d +# +#' || framework_failure_ + +fail=0 + +zgrep test z* > /dev/null + +# Before the fix, each of these would be created. +test -f hacked && fail=1 +test -f hacked2 && fail=1 + +Exit $fail |