Read Time:19 Second

FEDORA-2022-6b512ae9e5

Packages in this update:

gzip-1.10-5.fc34

Update description:

zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.

reproducer:

$ touch foo.gz
$ echo foo | gzip > “$(printf ‘|n;e touch pwnedn#.gz’)”
$ zgrep foo *.gz

(the unfixed version of zgrep creates the file called pwned)

Read More