Security update for gzip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1250-1 Final 1 1 2022-04-17T13:40:26Z current 2022-04-17T13:40:26Z 2022-04-17T13:40:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gzip This update for gzip fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062) The following non-security bugs were fixed: - Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713) - Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container caasp/v4/cilium:1.6.6-2022-1250,Container ses/6/cephcsi/cephcsi:latest-2022-1250,SUSE-2022-1250,SUSE-SLE-Product-HPC-15-2022-1250,SUSE-SLE-Product-HPC-15-SP1-ESPOS-2022-1250,SUSE-SLE-Product-HPC-15-SP1-LTSS-2022-1250,SUSE-SLE-Product-SLES-15-2022-1250,SUSE-SLE-Product-SLES-15-SP1-BCL-2022-1250,SUSE-SLE-Product-SLES-15-SP1-LTSS-2022-1250,SUSE-SLE-Product-SLES_SAP-15-2022-1250,SUSE-SLE-Product-SLES_SAP-15-SP1-2022-1250,SUSE-Storage-6-2022-1250 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221250-1/ Link for SUSE-SU-2022:1250-1 https://lists.suse.com/pipermail/sle-security-updates/2022-April/010742.html E-Mail link for SUSE-SU-2022:1250-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177047 SUSE Bug 1177047 https://bugzilla.suse.com/1180713 SUSE Bug 1180713 https://bugzilla.suse.com/1198062 SUSE Bug 1198062 https://www.suse.com/security/cve/CVE-2022-1271/ SUSE CVE CVE-2022-1271 page Container caasp/v4/cilium:1.6.6 Container ses/6/cephcsi/cephcsi:latest SUSE Enterprise Storage 6 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS SUSE Linux Enterprise High Performance Computing 15-ESPOS SUSE Linux Enterprise High Performance Computing 15-LTSS SUSE Linux Enterprise Server 15 SP1-BCL SUSE Linux Enterprise Server 15 SP1-LTSS SUSE Linux Enterprise Server 15-LTSS SUSE Linux Enterprise Server for SAP Applications 15 SUSE Linux Enterprise Server for SAP Applications 15 SP1 gzip-1.10-150000.4.12.1 gzip-1.10-150000.4.12.1 as a component of Container caasp/v4/cilium:1.6.6 gzip-1.10-150000.4.12.1 as a component of Container ses/6/cephcsi/cephcsi:latest gzip-1.10-150000.4.12.1 as a component of SUSE Enterprise Storage 6 gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15-ESPOS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise High Performance Computing 15-LTSS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise Server 15 SP1-BCL gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise Server 15 SP1-LTSS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise Server 15-LTSS gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 gzip-1.10-150000.4.12.1 as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP1 An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. CVE-2022-1271 Container caasp/v4/cilium:1.6.6:gzip-1.10-150000.4.12.1 Container ses/6/cephcsi/cephcsi:latest:gzip-1.10-150000.4.12.1 SUSE Enterprise Storage 6:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise High Performance Computing 15-LTSS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise Server 15 SP1-BCL:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise Server 15 SP1-LTSS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise Server 15-LTSS:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1:gzip-1.10-150000.4.12.1 SUSE Linux Enterprise Server for SAP Applications 15:gzip-1.10-150000.4.12.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221250-1/ https://www.suse.com/security/cve/CVE-2022-1271.html CVE-2022-1271 https://bugzilla.suse.com/1198062 SUSE Bug 1198062 https://bugzilla.suse.com/1198812 SUSE Bug 1198812 https://bugzilla.suse.com/1199107 SUSE Bug 1199107 https://bugzilla.suse.com/1199108 SUSE Bug 1199108