-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-6b512ae9e5 2022-04-30 18:40:14.825912 --------------------------------------------------------------------------------
Name : gzip Product : Fedora 34 Version : 1.10 Release : 5.fc34 URL : http://www.gzip.org/ Summary : The GNU data compression program Description : The gzip package contains the popular GNU gzip data compression program. Gzipped files have a .gz extension.
Gzip should be installed on your system, because it is a very commonly used data compression program.
-------------------------------------------------------------------------------- Update Information:
zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. reproducer: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e touch pwned\n#.gz')" $ zgrep foo *.gz (the unfixed version of zgrep creates the file called pwned) -------------------------------------------------------------------------------- ChangeLog:
* Wed Apr 13 2022 Jakub Martisko jamartis@redhat.com - 1.10-5 - fix an arbitrary-file-write vulnerability in zgrep Resolves: CVE-2022-1271 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2022-6b512ae9e5' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------
package-announce@lists.fedoraproject.org