Your message dated Fri, 22 Apr 2022 06:17:10 +0000 with message-id <e1nhmbo-0004yj...@fasolo.debian.org> and subject line Bug#1009167: fixed in xz-utils 5.2.5-2.1~deb11u1 has caused the Debian Bug report #1009167, regarding xz-utils: CVE-2022-1271: xzgrep: arbitrary-file-write vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1009167: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009167 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: xz-utils Version: 5.2.5-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: clone -1 -2 Control: retitle -2 gzip: CVE-2022-1271: zgrep: arbitrary-file-write vulnerability Control: reassign -2 src:gzip 1.10-4 Control: found -2 1.9-3 Hi, The following vulnerability was published for xz-utils and gzip, both have to date assigned the same CVE, and cloning this bug as well for one for gzip. CVE-2022-1271[0]: | zgrep, xzgrep: arbitrary-file-write vulnerability If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271 [1] https://www.openwall.com/lists/oss-security/2022/04/07/8 [2] https://git.tukaani.org/?p=xz.git;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6 [3] https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: xz-utils Source-Version: 5.2.5-2.1~deb11u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of xz-utils, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1009...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated xz-utils package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 11 Apr 2022 16:36:49 +0200 Source: xz-utils Architecture: source Version: 5.2.5-2.1~deb11u1 Distribution: bullseye-security Urgency: high Maintainer: Jonathan Nieder <jrnie...@gmail.com> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 1009167 Changes: xz-utils (5.2.5-2.1~deb11u1) bullseye-security; urgency=high . * Non-maintainer upload by the Security Team. * Rebuild for bullseye-security. . xz-utils (5.2.5-2.1) unstable; urgency=medium . * Non-maintainer upload. * xzgrep: Fix escaping of malicious filenames (ZDI-CAN-16587) (CVE-2022-1271) (Closes: #1009167) Checksums-Sha1: aeca0b891c1321ca6b01d9edadb1bda13d7e0e72 2681 xz-utils_5.2.5-2.1~deb11u1.dsc 0b9d1e06b59f7fe0796afe1d93851b9306b4a3b6 1148824 xz-utils_5.2.5.orig.tar.xz 603dd6d6ac39e20b3d1e79f2ead99d060b07c6e2 833 xz-utils_5.2.5.orig.tar.xz.asc c45283b5e9b7aeef049b46a5d9ab6a5c622dd5eb 34948 xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz ed702f163bcb2b12ef8d1416e5c0d1271e6038ee 7033 xz-utils_5.2.5-2.1~deb11u1_source.buildinfo Checksums-Sha256: 68a2702d252ab75789130fc9d2f48b9b38fc0181990c42a947b0d923d9d1922a 2681 xz-utils_5.2.5-2.1~deb11u1.dsc 3e1e518ffc912f86608a8cb35e4bd41ad1aec210df2a47aaa1f95e7f5576ef56 1148824 xz-utils_5.2.5.orig.tar.xz 6efc0075a58912e640119d2b52ef7d1518b260d8720fadc73df21ab7fc727624 833 xz-utils_5.2.5.orig.tar.xz.asc 07627e4c7a50ef91d64c177626507afd6107f44e27f4aacb5e41151d1399ff4f 34948 xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz 22cbe1cc589210d9c57230c2af41bc89ec0ffa6e961fbb540d6077c1f89c4c0b 7033 xz-utils_5.2.5-2.1~deb11u1_source.buildinfo Files: b9ab58414be08f6d0fc1fd6f0029c018 2681 utils optional xz-utils_5.2.5-2.1~deb11u1.dsc aa1621ec7013a19abab52a8aff04fe5b 1148824 utils optional xz-utils_5.2.5.orig.tar.xz aefee8195012884d039461b5073fbd7e 833 utils optional xz-utils_5.2.5.orig.tar.xz.asc 9a1aacd8445046da714369e9a3d49405 34948 utils optional xz-utils_5.2.5-2.1~deb11u1.debian.tar.xz 8dcff42dd049df7c83fe42e22948976f 7033 utils optional xz-utils_5.2.5-2.1~deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJUPWNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EgZ8P/00Tv7FJ5lx1whTcliQ9bmuorZ+TJrLV V2Dds91yqgFlbME3BTv1w9JEkTrigulQL3iy+ooiQiGGN7MpTE2QXddqDdEF4o12 LGA4qu3l5czSNNfNBCfPzeg40TakA2xebImRjXPzRW4SlGEOlGZFOvN7ZRQWW2im 3SL/UsZFLBYB4tioLmspEAjPJCkX7GAri9TDyoYAZsP/sCE++auVLN2/9/bMBsuW N9xXoxORU/8zWM40S+mVwQHT56hs+d9oFc7iWxdgOxCit7o3wrCk5lyou73KCA73 jq5h4utukxxR7oKgBCqL0NlTLKOZlvsWIIRm0x3EkZKkAQj1YCztN5zR6ovDu5Bz 3fFbrGUjoTC+ffOlsf6qZmmXw2ZgG8gv8a+1Od2QrIw0Vg1h3ScJVl/vcbFqG6sg r6VKUaLAeYUjeKfLYxgH47j+Pb9VAN48YHvapSS/FO8XXo6jlyGhAvs/EGl3nuGG W34TNeILTkL9qk89MJftWHORQvvTP4kvkoA6cvRMnbg0NXHtyB83iDVhENihALGX 3V9Af0JMai6IzkKMwhud1GmpTBTeBuJYJgmjHptNj56aOHIh/VXyGVrsNIxFYsCr HfER8bCHrHj5IE6Y6frZCjr2OOAkrBln0yNIRcU4mpGtoPLtnvma4QjmoNodrImd G29OW9XtQCQC =SEQt -----END PGP SIGNATURE-----
--- End Message ---
