CVE-2022-1271 log

Severity High
Remote No
Type Arbitrary command execution
Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code execution. The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of  the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped.
Group Package Affected Fixed Severity Status Ticket
AVG-2666 gzip 1.11-1 1.12-1 High Fixed
AVG-2665 xz 5.2.5-2 5.2.5-3 High Fixed
Date Advisory Group Package Severity Type
07 Apr 2022 ASA-202204-8 AVG-2665 xz High arbitrary command execution
07 Apr 2022 ASA-202204-7 AVG-2666 gzip High arbitrary command execution
xzgrep from XZ Utils versions up to and including 5.2.5 are affected. 5.3.1alpha and 5.3.2alpha are affected as well.
This bug was inherited into xzgrep from gzip's zgrep.
gzip 1.12 includes a fix for zgrep.