From 69cd3c7b0aca787d509e0be63695ac318fd56271 Mon Sep 17 00:00:00 2001
From: shixuantong <1726671442@qq.com>
Date: Wed, 20 Apr 2022 16:13:48 +0800
Subject: [PATCH] fix CVE-2022-1271

---
 backport-0001-CVE-2022-1271.patch | 43 +++++++++++++++++
 backport-0002-CVE-2022-1271.patch | 77 +++++++++++++++++++++++++++++++
 backport-0003-CVE-2022-1271.patch | 46 ++++++++++++++++++
 gzip.spec                         | 12 ++++-
 4 files changed, 176 insertions(+), 2 deletions(-)
 create mode 100644 backport-0001-CVE-2022-1271.patch
 create mode 100644 backport-0002-CVE-2022-1271.patch
 create mode 100644 backport-0003-CVE-2022-1271.patch

diff --git a/backport-0001-CVE-2022-1271.patch b/backport-0001-CVE-2022-1271.patch
new file mode 100644
index 0000000..171666d
--- /dev/null
+++ b/backport-0001-CVE-2022-1271.patch
@@ -0,0 +1,43 @@
+From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject:  zgrep: avoid exploit via multi-newline file names
+
+* zgrep.in: The issue with the old code is that with multiple
+newlines, the N-command will read the second line of input,
+then the s-commands will be skipped because it's not the end
+of the file yet, then a new sed cycle starts and the pattern
+space is printed and emptied. So only the last line or two get
+escaped. This patch makes sed read all lines into the pattern
+space and then do the escaping.
+
+This vulnerability was discovered by:
+cleemy desu wayo working with Trend Micro Zero Day Initiative
+---
+ zgrep.in | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index 345dae3..bdf7da2 100644
+--- a/zgrep.in
++++ b/zgrep.in
+@@ -222,9 +222,13 @@ do
+ '* | *'&'* | *'\'* | *'|'*)
+         i=$(printf '%s\n' "$i" |
+             sed '
+-              $!N
+-              $s/[&\|]/\\&/g
+-              $s/\n/\\n/g
++              :start
++              $!{
++                N
++                b start
++              }
++              s/[&\|]/\\&/g
++              s/\n/\\n/g
+             ');;
+       esac
+       sed_script="s|^|$i:|"
+-- 
+1.8.3.1
+
diff --git a/backport-0002-CVE-2022-1271.patch b/backport-0002-CVE-2022-1271.patch
new file mode 100644
index 0000000..285f60d
--- /dev/null
+++ b/backport-0002-CVE-2022-1271.patch
@@ -0,0 +1,77 @@
+From d74a30d45c6834c8e9f87115197370fe86656d81 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@fb.com>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject: zgrep: add NEWS and tests for this exploitable bug
+
+* tests/zgrep-abuse: New file, based on PoC by cleemy desu wayo.
+* tests/Makefile.am (TESTS): Add it.
+* NEWS: Mention the exploit.
+The bug appears to have been present since the beginning.
+---
+ tests/Makefile.am |  1 +
+ tests/zgrep-abuse | 41 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+)
+ create mode 100755 tests/zgrep-abuse
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index 691bbf8..d565211 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -34,6 +34,7 @@ TESTS =					\
+   z-suffix				\
+   zdiff					\
+   zgrep-f				\
++  zgrep-abuse				\
+   zgrep-context				\
+   zgrep-signal				\
+   znew-k
+diff --git a/tests/zgrep-abuse b/tests/zgrep-abuse
+new file mode 100755
+index 0000000..3e8a8f9
+--- /dev/null
++++ b/tests/zgrep-abuse
+@@ -0,0 +1,41 @@
++#!/bin/sh
++# Show how zgrep applied to a crafted file name may overwrite
++# a selected file with chosen content.  Fixed in gzip-1.12.
++
++# Copyright (C) 2022 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>.
++# limit so don't run it by default.
++
++. "${srcdir=.}/init.sh"; path_prepend_ ..
++
++: > z || framework_failure_
++echo test |gzip > 'z|
++p
++1s|.*|chosen-content|
++1w hacked
++etouch .\x2fhacked2
++d
++#
++#' || framework_failure_
++
++fail=0
++
++zgrep test z* > /dev/null
++
++# Before the fix, each of these would be created.
++test -f hacked && fail=1
++test -f hacked2 && fail=1
++
++Exit $fail
+-- 
+1.8.3.1
+
diff --git a/backport-0003-CVE-2022-1271.patch b/backport-0003-CVE-2022-1271.patch
new file mode 100644
index 0000000..92abb8c
--- /dev/null
+++ b/backport-0003-CVE-2022-1271.patch
@@ -0,0 +1,46 @@
+From c99f320d5c0fd98fe88d9cea5407eb7ad9d50e8a Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Mon, 4 Apr 2022 23:52:49 -0700
+Subject:  zgrep: port to POSIX sed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* zgrep.in (res): When escaping the file name do not rely on GNU
+sed’s extension to POSIX with respect to s/.../\n/.  Instead, use
+features that should also work with AIX and/or Solaris sed.  This is
+simpler anyway, and would have prevented the recently-fixed bug.
+---
+ zgrep.in | 15 ++++-----------
+ 1 file changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/zgrep.in b/zgrep.in
+index bdf7da2..6a16dd1 100644
+--- a/zgrep.in
++++ b/zgrep.in
+@@ -220,18 +220,11 @@ do
+       case $i in
+       (*'
+ '* | *'&'* | *'\'* | *'|'*)
+-        i=$(printf '%s\n' "$i" |
+-            sed '
+-              :start
+-              $!{
+-                N
+-                b start
+-              }
+-              s/[&\|]/\\&/g
+-              s/\n/\\n/g
+-            ');;
++          icolon=$(printf '%s\n' "$i:" |
++                     sed -e 's/[&\|]/\\&/g' -e '$!s/$/\\/');;
++      (*) icolon="$i:";;
+       esac
+-      sed_script="s|^|$i:|"
++      sed_script="s|^|$icolon|"
+ 
+       # Fail if grep or sed fails.
+       r=$(
+-- 
+1.8.3.1
+
diff --git a/gzip.spec b/gzip.spec
index b55b6d2..9260c90 100644
--- a/gzip.spec
+++ b/gzip.spec
@@ -1,6 +1,6 @@
 Name:           gzip
 Version:        1.10
-Release:        2
+Release:        3
 Summary:        A data compression utility
 
 License:        GPLv3+
@@ -11,7 +11,11 @@ Patch0:         gzexe.patch
 Patch9000:      fix-verbose-disable.patch
 Patch9100:      performance-neoncrc32-and-prfm.patch
 
-BuildRequires:  gcc texinfo
+Patch6000:      backport-0001-CVE-2022-1271.patch
+Patch6001:      backport-0002-CVE-2022-1271.patch
+Patch6002:      backport-0003-CVE-2022-1271.patch
+
+BuildRequires:  gcc texinfo automake autoconf
 Requires:       coreutils
 Conflicts:      filesystem < 3
 Provides:       /bin/gunzip
@@ -33,6 +37,7 @@ has the suffix .gz.
 %ifarch aarch64
 export CFLAGS="${CFLAGS:-%optflags} -march=armv8-a+crc"
 %endif
+autoreconf
 %configure
 %make_build
 
@@ -58,6 +63,9 @@ make check
 %{_mandir}/man1/*
 
 %changelog
+* Wed Apr 20 2022 shixuantong <shixuantong@h-partners.com> - 1.10-3
+- fix CVE-2022-1271
+
 * Thu Apr 14 2022 renhongxun <renhongxun@h-partners.com> - 1.10-2
 - update license from GPLv3+,GFDL to GPLv3+
 
-- 
Gitee