ASA-202204-8 log original external raw

[ASA-202204-8] xz: arbitrary command execution
Arch Linux Security Advisory ASA-202204-8 ========================================= Severity: High Date : 2022-04-07 CVE-ID : CVE-2022-1271 Package : xz Type : arbitrary command execution Remote : No Link : Summary ======= The package xz before version 5.2.5-3 is vulnerable to arbitrary command execution. Resolution ========== Upgrade to 5.2.5-3. # pacman -Syu "xz>=5.2.5-3" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped. Impact ====== An attacker is able to provide malicious filenames to write to arbitrary files or execute arbitrary commands on the affected host. References ==========;a=commit;h=69d1b3fc29677af8ade8dc15dba83f0589cb63d6