From nobody Tue Apr 19 14:58:50 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9E22511D1B84; Tue, 19 Apr 2022 14:58:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KjRlG3rhDz4tCV; Tue, 19 Apr 2022 14:58:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650380330; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=10lnZkMxPmxKPXCPilxuOJJMKksjMsdlB6J3sRkmIko=; b=t5aLtNRw85pbV8c/M8TSX8FoV06VdXGJak4S8WL4bzZGFIoDTwHtRLrDwMv0yIVZJmWXB1 g615UxKW8wawutmQiBe8RrjYg23VTKXmXeOCclbguqiaZGVwxFGND46veMQZNBWbmefweX z7wIiFdrxVXQPRNfhe3cKHgKE3QXM5IqEn+wTtNdQunAILObgiuSj8Cff9lg2T01IVe7Pz PT1daHc0d2iHxlAZowjhUnNBe+mnPEVNnCmP1QNfdClbZEcUPcmGdhlQ/kLVyD/uh4N7O4 R0GrR8lUlOaHyyYQVbjUNW4hAi0KBUH5fHJ8Yg4SOcQUQY07V+JXLGPyGPbtdg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 5615F290D6; Tue, 19 Apr 2022 14:58:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 23JEwoLq006952; Tue, 19 Apr 2022 14:58:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 23JEwomj006951; Tue, 19 Apr 2022 14:58:50 GMT (envelope-from git) Date: Tue, 19 Apr 2022 14:58:50 GMT Message-Id: <202204191458.23JEwomj006951@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: =?utf-8?Q?Fernando Apestegu=C3=ADa?= Subject: git: 8a0ed132ec0b - main - security/vuxml: Add gzip's CVE-2022-1271 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: fernape X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8a0ed132ec0b0374d6c897b5ee031015d89402c3 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1650380330; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=10lnZkMxPmxKPXCPilxuOJJMKksjMsdlB6J3sRkmIko=; b=uz0GrxYaq8B7rXnJziDQoMNDp+/h6jBCmVw3wBODtbseHU6iyDku57T77maXUUG8DcnBLi 4yJKEgQ1RQqZOPglEeef+z0G5LbNsUDAs78EPyZ6RlvGsbB0/Tm8jihelQLjo2v6+Dk4Gx DTB6MVQkfKQbM32bAMRCu2pblj3Q76AnNQzW+rlQN8r/lGwYznaDBHOso5Ceu96Bl3v3Pt 49SV9kQqD5o8JOk8H+NXW7E9beVz+99tyQ+Oo7GoCZkjJdOgw5rU/+ziPySh4giGObNHEm qBZlGOw3VYB7gZmLwhPHTiToAb8vdnwh8eWKBfuqRWNaO3GdwKLc0UFfixLFpg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1650380330; a=rsa-sha256; cv=none; b=ZGqRdYwBSll1gg8k/Y16aPEX2+Hb2zQVkyln7U9vZ4WTWCcsZmb7gUo/kjRVrxz/jggZ3a odBVeuSpTHYUcW0apnuYzOHHZOESFmI4eGRPzBng9ZFT5KoUOdaGGlaS9fJbHRpvMZySNV AuWGnXMRVgLWZQPd+/lpUW6gR7vKPqgmNb6og4oUeHGQM5fctBFuBcHuTCDxKH8gUGazGY gup+EF2Yoh+AMOr2rLlCisugXZjP6p/9O2VCVKXK/oG00bcdFMOX41OKISU4QNc1xEiHDF gJEs9hae/d7oW4fZMtl5Bxx6FLfT1fcFTzFHnpiXyhTVat8KbDR/ZyIvBWSSEQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by fernape: URL: https://cgit.FreeBSD.org/ports/commit/?id=8a0ed132ec0b0374d6c897b5ee031015d89402c3 commit 8a0ed132ec0b0374d6c897b5ee031015d89402c3 Author: Fernando ApesteguĂ­a AuthorDate: 2022-04-19 14:34:44 +0000 Commit: Fernando ApesteguĂ­a CommitDate: 2022-04-19 14:56:44 +0000 security/vuxml: Add gzip's CVE-2022-1271 Arbitrary file write vulnerability. Security: CVE-2022-1271 --- security/vuxml/vuln-2022.xml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 8c9ab69156a8..52a5480e870e 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,39 @@ + + zgrep -- arbitrary file write + + + gzip + 1.12 + + + + +

RedHat reports:

+
+

An arbitrary file write vulnerability was found in GNU + gzip's zgrep utility. When zgrep is applied on the + attacker's chosen file name (for example, a crafted + file name), this can overwrite an attacker's content + to an arbitrary attacker-selected file. This flaw + occurs due to insufficient validation when processing + filenames with two or more newlines where selected + content and the target file names are embedded in + crafted multi-line file names. This flaw allows a + remote, low privileged attacker to force zgrep to + write arbitrary files on the system.

+
+ + + + CVE-2022-1271 + https://bugzilla.redhat.com/show_bug.cgi?id=2073310 + + + 2022-04-07 + 2022-04-19 + + + Nextcloud Calendar -- SMTP Command Injection