[ubuntu/jammy-proposed] gzip 1.10-4ubuntu4 (Accepted)

[Marc Deslauriers]

gzip (1.10-4ubuntu4) jammy; urgency=medium

  * SECURITY UPDATE: arbitrary file override with crafted file names
    - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline
      file names in zgrep.in.
    - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am,
      tests/zgrep-abuse.
    - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in.
    - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in
      gzexe.in.
    - debian/patches/CVE-2022-1271-5.patch: use C locale more often in
      gzexe.in, sample/zfile, zdiff.in, zgrep.in, znew.in.
    - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches"
      mislabeling in tests/Makefile.am, tests/zgrep-binary, zgrep.in.
    - debian/rules: fix permissions on new test scripts.
    - CVE-2022-1271

Date: Fri, 08 Apr 2022 06:53:06 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/gzip/1.10-4ubuntu4
-------------- next part --------------
Format: 1.8
Date: Fri, 08 Apr 2022 06:53:06 -0400
Source: gzip
Built-For-Profiles: noudeb
Architecture: source
Version: 1.10-4ubuntu4
Distribution: jammy
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 gzip (1.10-4ubuntu4) jammy; urgency=medium
 .
   * SECURITY UPDATE: arbitrary file override with crafted file names
     - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline
       file names in zgrep.in.
     - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am,
       tests/zgrep-abuse.
     - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in.
     - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in
       gzexe.in.
     - debian/patches/CVE-2022-1271-5.patch: use C locale more often in
       gzexe.in, sample/zfile, zdiff.in, zgrep.in, znew.in.
     - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches"
       mislabeling in tests/Makefile.am, tests/zgrep-binary, zgrep.in.
     - debian/rules: fix permissions on new test scripts.
     - CVE-2022-1271
Checksums-Sha1:
 3fe03436ade95bfd325f2fc4bf44c3354cd12dac 2269 gzip_1.10-4ubuntu4.dsc
 5680fc1282d35f301b7fe6ec31342155c4ee76a3 39072 gzip_1.10-4ubuntu4.debian.tar.xz
 460816b358b8cd2099631a91ded50da24f94625c 6562 gzip_1.10-4ubuntu4_source.buildinfo
Checksums-Sha256:
 7ce7fad6a0f953153d1a67db482f373fbb48bc03aba2fb2ddfc787073fe6c885 2269 gzip_1.10-4ubuntu4.dsc
 3e937f8754ae2f3f8213e37fdb4382d6b5a19116b198e0cce96fbcc8dba2d94d 39072 gzip_1.10-4ubuntu4.debian.tar.xz
 1353288811fd4e20464b5e8d9974ed6620d8990720584176300cc1b32b7c8787 6562 gzip_1.10-4ubuntu4_source.buildinfo
Files:
 1b1df2e9e54d8da94d9e99b6db9232a2 2269 utils required gzip_1.10-4ubuntu4.dsc
 27e3ca8f355678ab70eb43c869587f56 39072 utils required gzip_1.10-4ubuntu4.debian.tar.xz
 3e1763ccf4d8fd94522283111112136f 6562 utils required gzip_1.10-4ubuntu4_source.buildinfo
Original-Maintainer: Milan Kupcevic <milan at debian.org>