[SECURITY] [DSA 5123-1] xz-utils security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 5123-1] xz-utils security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 18 Apr 2022 19:36:12 +0000
Message-id: <[🔎] E1ngXAS-0008Dt-Sk@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5123-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 18, 2022                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xz-utils
CVE ID         : CVE-2022-1271
Debian Bug     : 1009167

cleemy desu wayo reported that incorrect handling of filenames by xzgrep
in xz-utils, the XZ-format compression utilities, can result in
overwrite of arbitrary files or execution of arbitrary code if a file
with a specially crafted filename is processed.

For the oldstable distribution (buster), this problem has been fixed
in version 5.2.4-1+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 5.2.5-2.1~deb11u1.

We recommend that you upgrade your xz-utils packages.

For the detailed security status of xz-utils please refer to its
security tracker page at:
https://security-tracker.debian.org/tracker/xz-utils

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmJdvZFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0QyGA//fxac3GDLmcVJ+PhY069vHhJS+nzMXTI2HfthlEa5mlnM4C6Ld71dYyPA
GJt6Z4FHr5eeOfURM2A36DVdeUjX/iJ5OQiwpCfYy7ZhqLQzv4fAzIt0YjWDM2Bf
Jnn0fA9tdiAO2JWNVQtAHPT9XM5AtFd1/fJrfDp9bmYGEPi2YPMTRd+tuvPw3IFE
YYuqduVWvHGvzgjFrNzL61YK0/irC4+ILpOQaAF8gsZY8Lq8We8/FQlmuweO7qlh
73IXKbunXDSv9NmVNYhQpuoBnLjrRWFRh24bjgRVmBzLb1K3/c5QmD8Od/iZbA8a
8i0XqhwBMTmlCmj3ItbicL06NSzlgJfSAMrDRGEfvWEQuN4J/pzHQYSU+xVz1Rw5
jCofjGUry+my2GynzPpiqQxOzojIxMy4qTQBFSarbMLWxeeGT9XYnvel9efHoPEC
GD8e5pcIX6fuacxHbn+GMquA3p+iRNNvriyhRISHsKT6vwmr4f7qan6beo7g71Yv
3DI6JS2NEPGhtNk3dZe6T6wslpZ8U241bUqznqxEXi7zt89Z7iiwfjYCzh0c41g2
jyA57EpnuV7Ugna5xvPv7oQE3Vw9PVvc++o2jUp6K74p7wwwqSlgveRpqxLR+CYl
1Jc+Ohy9oL88mj0W7x/SCp0zOCI2N+meTVVoJv8Cb9GupT2nAvE=
=k53J
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 5122-1] gzip security update
Next by Date: [SECURITY] [DSA 5124-1] ffmpeg security update
Previous by thread: [SECURITY] [DSA 5122-1] gzip security update
Next by thread: [SECURITY] [DSA 5124-1] ffmpeg security update
Index(es):
- Date
- Thread