Security update for gzip SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1673-1 Final 1 1 2022-05-16T08:11:20Z current 2022-05-16T08:11:20Z 2022-05-16T08:11:20Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gzip This update for gzip fixes the following issues: - CVE-2022-1271: Add hardening for zgrep. (bsc#1198062) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles12sp3:latest-2022-1673,HPE-Helion-OpenStack-8-2022-1673,SUSE-2022-1673,SUSE-OpenStack-Cloud-8-2022-1673,SUSE-OpenStack-Cloud-9-2022-1673,SUSE-OpenStack-Cloud-Crowbar-8-2022-1673,SUSE-OpenStack-Cloud-Crowbar-9-2022-1673,SUSE-SLE-SAP-12-SP3-2022-1673,SUSE-SLE-SAP-12-SP4-2022-1673,SUSE-SLE-SERVER-12-SP2-BCL-2022-1673,SUSE-SLE-SERVER-12-SP3-2022-1673,SUSE-SLE-SERVER-12-SP3-BCL-2022-1673,SUSE-SLE-SERVER-12-SP4-LTSS-2022-1673 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221673-1/ Link for SUSE-SU-2022:1673-1 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011029.html E-Mail link for SUSE-SU-2022:1673-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-1271/ SUSE CVE CVE-2022-1271 page Container suse/sles12sp3:latest HPE Helion OpenStack 8 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 gzip-1.6-9.9.1 gzip-1.6-9.9.1 as a component of Container suse/sles12sp3:latest gzip-1.6-9.9.1 as a component of HPE Helion OpenStack 8 gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server 12 SP3-BCL gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server 12 SP3-LTSS gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP3 gzip-1.6-9.9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 gzip-1.6-9.9.1 as a component of SUSE OpenStack Cloud 8 gzip-1.6-9.9.1 as a component of SUSE OpenStack Cloud 9 gzip-1.6-9.9.1 as a component of SUSE OpenStack Cloud Crowbar 8 gzip-1.6-9.9.1 as a component of SUSE OpenStack Cloud Crowbar 9 An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. CVE-2022-1271 Container suse/sles12sp3:latest:gzip-1.6-9.9.1 HPE Helion OpenStack 8:gzip-1.6-9.9.1 SUSE Linux Enterprise Server 12 SP2-BCL:gzip-1.6-9.9.1 SUSE Linux Enterprise Server 12 SP3-BCL:gzip-1.6-9.9.1 SUSE Linux Enterprise Server 12 SP3-LTSS:gzip-1.6-9.9.1 SUSE Linux Enterprise Server 12 SP4-LTSS:gzip-1.6-9.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP3:gzip-1.6-9.9.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:gzip-1.6-9.9.1 SUSE OpenStack Cloud 8:gzip-1.6-9.9.1 SUSE OpenStack Cloud 9:gzip-1.6-9.9.1 SUSE OpenStack Cloud Crowbar 8:gzip-1.6-9.9.1 SUSE OpenStack Cloud Crowbar 9:gzip-1.6-9.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221673-1/ https://www.suse.com/security/cve/CVE-2022-1271.html CVE-2022-1271 https://bugzilla.suse.com/1198062 SUSE Bug 1198062 https://bugzilla.suse.com/1198812 SUSE Bug 1198812 https://bugzilla.suse.com/1199107 SUSE Bug 1199107 https://bugzilla.suse.com/1199108 SUSE Bug 1199108