Read Time:19 Second
FEDORA-2022-6746dde2a0
Packages in this update:
gzip-1.10-6.fc35
Update description:
zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file.
reproducer:
$ touch foo.gz
$ echo foo | gzip > “$(printf ‘|n;e touch pwnedn#.gz’)”
$ zgrep foo *.gz
(the unfixed version of zgrep creates the file called pwned)