CVE-2022-1271

Publication date 7 April 2022

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

8.8 · High

Score breakdown

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Status

Package Ubuntu Release Status
gzip 22.04 LTS jammy
Fixed 1.10-4ubuntu4
21.10 impish
Fixed 1.10-4ubuntu1.1
20.04 LTS focal
Fixed 1.10-0ubuntu4.1
18.04 LTS bionic
Fixed 1.6-5ubuntu1.2
16.04 LTS xenial
14.04 LTS trusty
xz-utils 22.04 LTS jammy
Fixed 5.2.5-2ubuntu1
21.10 impish
Fixed 5.2.5-2ubuntu0.1
20.04 LTS focal
Fixed 5.2.4-1ubuntu1.1
18.04 LTS bionic
Fixed 5.2.2-1.3ubuntu0.1
16.04 LTS xenial
14.04 LTS trusty

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
gzip
xz-utils

Severity score breakdown

Parameter Value
Base score 8.8 · High
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references