|
 |
6d29d6 |
From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
|
|
|
6d29d6 |
From: Jim Meyering <meyering@fb.com>
|
|
|
6d29d6 |
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
|
6d29d6 |
Subject: zgrep: add NEWS and tests for this exploitable bug
|
|
|
6d29d6 |
|
|
|
6d29d6 |
* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
|
|
|
6d29d6 |
* tests/Makefile.am (TESTS): Add it.
|
|
|
6d29d6 |
* NEWS: Mention the exploit.
|
|
|
6d29d6 |
The bug appears to have been present since the beginning.
|
|
|
6d29d6 |
---
|
|
|
6d29d6 |
tests/Makefile.am | 1 +
|
|
|
6d29d6 |
tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
|
6d29d6 |
3 files changed, 45 insertions(+)
|
|
|
6d29d6 |
create mode 100755 tests/zgrep-abuse
|
|
|
6d29d6 |
|
|
|
6d29d6 |
diff --git a/tests/Makefile.am b/tests/Makefile.am
|
|
|
6d29d6 |
index d09672e..5f148d6 100644
|
|
|
6d29d6 |
--- a/tests/Makefile.am
|
|
|
6d29d6 |
+++ b/tests/Makefile.am
|
|
|
6d29d6 |
@@ -36,6 +36,7 @@ TESTS = \
|
|
|
6d29d6 |
z-suffix \
|
|
|
6d29d6 |
zdiff \
|
|
|
6d29d6 |
zgrep-f \
|
|
|
6d29d6 |
+ zgrep-abuse \
|
|
|
6d29d6 |
zgrep-context \
|
|
|
6d29d6 |
zgrep-signal \
|
|
|
6d29d6 |
znew-k
|
|
|
6d29d6 |
diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
|
|
|
6d29d6 |
new file mode 100755
|
|
|
6d29d6 |
index 0000000..3e8a8f9
|
|
|
6d29d6 |
--- /dev/null
|
|
|
6d29d6 |
+++ b/tests/zgrep-abuse
|
|
|
6d29d6 |
@@ -0,0 +1,41 @@
|
|
|
6d29d6 |
+#!/bin/sh
|
|
|
6d29d6 |
+# Show how zgrep applied to a crafted file name may overwrite
|
|
|
6d29d6 |
+# a selected file with chosen content. Fixed in gzip-1.12.
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+# Copyright (C) 2022 Free Software Foundation, Inc.
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+# This program is free software: you can redistribute it and/or modify
|
|
|
6d29d6 |
+# it under the terms of the GNU General Public License as published by
|
|
|
6d29d6 |
+# the Free Software Foundation, either version 3 of the License, or
|
|
|
6d29d6 |
+# (at your option) any later version.
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+# This program is distributed in the hope that it will be useful,
|
|
|
6d29d6 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
6d29d6 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
6d29d6 |
+# GNU General Public License for more details.
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+# You should have received a copy of the GNU General Public License
|
|
|
6d29d6 |
+# along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
6d29d6 |
+# limit so don't run it by default.
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+. "${srcdir=.}/init.sh"; path_prepend_ ..
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+: > z || framework_failure_
|
|
|
6d29d6 |
+echo test |gzip > 'z|
|
|
|
6d29d6 |
+p
|
|
|
6d29d6 |
+1s|.*|chosen-content|
|
|
|
6d29d6 |
+1w hacked
|
|
|
6d29d6 |
+etouch .\x2fhacked2
|
|
|
6d29d6 |
+d
|
|
|
6d29d6 |
+#
|
|
|
6d29d6 |
+#' || framework_failure_
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+fail=0
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+zgrep test z* > /dev/null
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+# Before the fix, each of these would be created.
|
|
|
6d29d6 |
+test -f hacked && fail=1
|
|
|
6d29d6 |
+test -f hacked2 && fail=1
|
|
|
6d29d6 |
+
|
|
|
6d29d6 |
+Exit $fail
|
|
|
6d29d6 |
--
|
|
|
6d29d6 |
cgit v1.1
|
|
|
6d29d6 |
|