system/xz: CVE-2022-1271: xzgrep applied to a crafted file name with two or more newlines can overwrite an arbitrary, attacker-selected file.
See #653 (closed).
From https://tukaani.org/xz/:
5.2.5 was released on 2020-03-17. A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.
From https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-analysis-gzip/:
Using filenames with newline characters can confuse zgrep, which can enable an attacker to overwrite arbitrary files. When GNU sed is also installed, the attacker can gain the ability to perform code execution. Most applications won’t have gzip bundled in this way, but they might make a runtime call to a command line to invoke zgrep. In such a case, if the application uses unsanitized user input for the filename, the vulnerability could be exposed.
Proposed fix: xzgrep-ZDI-CAN-16587.patch