CVE-2022-1271: 
NixOS vulnerability analysis and mitigation

An arbitrary file write vulnerability (CVE-2022-1271) was discovered in GNU gzip's zgrep utility and XZ Utils' xzgrep utility. The vulnerability was found in GNU gzip versions prior to 1.12 and XZ Utils versions up to and including 5.2.5. The flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and target file names are embedded in crafted multi-line file names (NVD, Debian Tracker).

The vulnerability exists in the zgrep and xzgrep utilities' handling of filenames containing multiple newlines. The issue stems from the sed script's behavior where with multiple newlines, the N-command reads the second line of input, then the s-commands are skipped because it's not the end of the file, causing only the last line or two to get escaped. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

When successfully exploited, this vulnerability allows a remote, low-privileged attacker to write arbitrary content to arbitrary attacker-selected files on the system. In some cases, writing to arbitrary files such as shell initialization files can lead to remote code execution (Gentoo Security).

The vulnerability has been fixed in GNU gzip version 1.12 and XZ Utils version 5.2.5. Users should upgrade to these or later versions. For GNU gzip, the fix involves modifying the sed script to append a backslash at the end of all lines except the last line and adding LC_ALL=C to critical sed commands. As a workaround before updating, users should ensure only trusted input is passed to GNU gzip and XZ Utils' grep helpers to minimize potential impact (GNU Mailing List).