Posible false positive detection - CVE-2022-1271 - gzip - Ubuntu 22.04 #2527
Description
Analysis and Justification: False Positive Detection of CVE-2022-1271 in gzip
Summary of the Finding
The Grype security scanner has reported a vulnerability in gzip (CVE-2022-1271) due to the presence of version 1.10-4ubuntu4.1 in our image. According to Grype’s database, this version is still vulnerable because the issue was fixed in gzip 1.12. However, after a thorough verification, we have determined that this detection is a false positive.
full analysis
✔ Vulnerability DB [updated]
✔ Loaded image cti_cti:latest
✔ Parsed image sha256:6f8374513a25632d47859b454246528fa99071f27d85dfae3fa875df2ec7b971
✔ Cataloged contents bc3b9f7b90943b4131423068d8facd43b61cd030c73695acf5f5407f8da119bf
├── ✔ Packages [192 packages]
├── ✔ File digests [3,317 files]
├── ✔ File metadata [3,317 locations]
└── ✔ Executables [884 executables]
✔ Scanned for vulnerabilities [67 vulnerability matches]
├── by severity: 0 critical, 1 high, 19 medium, 40 low, 7 negligible
└── by status: 24 fixed, 43 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
coreutils 8.32-4.1ubuntu1.2 deb CVE-2016-2781 Low
curl 7.81.0-1ubuntu1.20 deb CVE-2025-0167 Low
gcc-12-base 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low
gcc-12-base 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low
gpgv 2.2.27-3ubuntu2.1 deb CVE-2022-3219 Low
gzip 1.10 1.12 binary CVE-2022-1271 High
libc-bin 2.35-0ubuntu3.8 2.35-0ubuntu3.9 deb CVE-2025-0395 Medium
libc-bin 2.35-0ubuntu3.8 deb CVE-2016-20013 Negligible
libc6 2.35-0ubuntu3.8 2.35-0ubuntu3.9 deb CVE-2025-0395 Medium
libc6 2.35-0ubuntu3.8 deb CVE-2016-20013 Negligible
libcap2 1:2.44-1ubuntu0.22.04.1 1:2.44-1ubuntu0.22.04.2 deb CVE-2025-1390 Medium
libcurl4 7.81.0-1ubuntu1.20 deb CVE-2025-0167 Low
libgcc-s1 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low
libgcc-s1 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low
libgcrypt20 1.9.4-3ubuntu3 deb CVE-2024-2236 Low
libgnutls30 3.7.3-4ubuntu1.5 3.7.3-4ubuntu1.6 deb CVE-2024-12243 Medium
libgssapi-krb5-2 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.5 deb CVE-2024-3596 Medium
libgssapi-krb5-2 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2025-24528 Medium
libgssapi-krb5-2 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26461 Low
libgssapi-krb5-2 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26458 Negligible
libk5crypto3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.5 deb CVE-2024-3596 Medium
libk5crypto3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2025-24528 Medium
libk5crypto3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26461 Low
libk5crypto3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26458 Negligible
libkrb5-3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.5 deb CVE-2024-3596 Medium
libkrb5-3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2025-24528 Medium
libkrb5-3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26461 Low
libkrb5-3 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26458 Negligible
libkrb5support0 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.5 deb CVE-2024-3596 Medium
libkrb5support0 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2025-24528 Medium
libkrb5support0 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26461 Low
libkrb5support0 1.19.2-2ubuntu0.4 1.19.2-2ubuntu0.6 deb CVE-2024-26458 Negligible
libncurses6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low
libncurses6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low
libncursesw6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low
libncursesw6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low
libpam-modules 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium
libpam-modules-bin 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium
libpam-runtime 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium
libpam0g 1.4.0-11ubuntu2.5 deb CVE-2024-10041 Medium
libpcre2-8-0 10.39-3ubuntu0.1 deb CVE-2022-41409 Low
libpcre3 2:8.39-13ubuntu0.22.04.1 deb CVE-2017-11164 Negligible
libpython3.10-minimal 3.10.12-1~22.04.9 deb CVE-2025-1795 Low
libpython3.10-stdlib 3.10.12-1~22.04.9 deb CVE-2025-1795 Low
libssl3 3.0.2-0ubuntu1.18 3.0.2-0ubuntu1.19 deb CVE-2024-13176 Low
libssl3 3.0.2-0ubuntu1.18 deb CVE-2024-41996 Low
libssl3 3.0.2-0ubuntu1.18 3.0.2-0ubuntu1.19 deb CVE-2024-9143 Low
libstdc++6 12.3.0-1ubuntu1~22.04 deb CVE-2022-27943 Low
libstdc++6 12.3.0-1ubuntu1~22.04 deb CVE-2023-4039 Low
libsystemd0 249.11-0ubuntu3.12 deb CVE-2023-7008 Low
libtasn1-6 4.18.0-4build1 4.18.0-4ubuntu0.1 deb CVE-2024-12133 Medium
libtasn1-6 4.18.0-4build1 deb CVE-2021-46848 Low
libtinfo6 6.3-2ubuntu0.1 deb CVE-2023-45918 Low
libtinfo6 6.3-2ubuntu0.1 deb CVE-2023-50495 Low
libudev1 249.11-0ubuntu3.12 deb CVE-2023-7008 Low
libzstd1 1.4.8+dfsg-3build1 deb CVE-2022-4899 Low
login 1:4.8.1-2ubuntu2.2 deb CVE-2024-56433 Medium
login 1:4.8.1-2ubuntu2.2 deb CVE-2023-29383 Low
ncurses-base 6.3-2ubuntu0.1 deb CVE-2023-45918 Low
ncurses-base 6.3-2ubuntu0.1 deb CVE-2023-50495 Low
ncurses-bin 6.3-2ubuntu0.1 deb CVE-2023-45918 Low
ncurses-bin 6.3-2ubuntu0.1 deb CVE-2023-50495 Low
openssl 3.0.2-0ubuntu1.19 deb CVE-2024-41996 Low
passwd 1:4.8.1-2ubuntu2.2 deb CVE-2024-56433 Medium
passwd 1:4.8.1-2ubuntu2.2 deb CVE-2023-29383 Low
python3.10 3.10.12-1~22.04.9 deb CVE-2025-1795 Low
python3.10-minimal 3.10.12-1~22.04.9 deb CVE-2025-1795 Low
Reason for the False Positive
-
Ubuntu has already patched CVE-2022-1271 in
gzip 1.10-4ubuntu4.1- According to the
gzipchangelog in Ubuntu 22.04, multiple patches addressing CVE-2022-1271 have been applied. - Running
apt changelog gzip | grep CVE-2022-1271confirms that six specific patches (patch-1topatch-6) were implemented to mitigate the vulnerability without upgrading to1.12.root@32f432d75ee3:/# apt changelog gzip | grep CVE-2022-1271 WARNING: apt does not have a stable CLI interface. Use with caution in scripts. - debian/patches/CVE-2022-1271-1.patch: avoid exploit via multi-newline - debian/patches/CVE-2022-1271-2.patch: add test in tests/Makefile.am, - debian/patches/CVE-2022-1271-3.patch: port to POSIX sed in zgrep.in. - debian/patches/CVE-2022-1271-4.patch: optimize out a grep in - debian/patches/CVE-2022-1271-5.patch: use C locale more often in - debian/patches/CVE-2022-1271-6.patch: fix "binary file matches" - CVE-2022-1271
- According to the
-
Grype does not recognize Ubuntu's security patches
- Grype detects vulnerabilities based on software versions without considering distribution-specific security patches.
- As a result, it mistakenly assumes that
gzip 1.10is still vulnerable, even though the installed version (1.10-4ubuntu4.1) already contains the necessary fixes.
-
Official confirmation from Ubuntu
- The Ubuntu security page for CVE-2022-1271 confirms that the issue was fixed in version
1.10-4ubuntu4. - The installed version (
1.10-4ubuntu4.1) is newer and includes the same security patches.
- The Ubuntu security page for CVE-2022-1271 confirms that the issue was fixed in version
-
Installation verification
- The following command confirms that the patched version of
gzipis installed:root@32f432d75ee3:/# apt list -a gzip Listing... Done gzip/jammy-updates,now 1.10-4ubuntu4.1 amd64 [installed] gzip/jammy 1.10-4ubuntu4 amd64 - This verifies that we are running the patched version of
gzip.
- The following command confirms that the patched version of
-
Grype is using NVD feed instead of Ubuntu vulnerability feed
- By executing the command
grype <image_name> -o json | jq '.matches[] | select(.artifact.name == "gzip")'we obtain the following result
Details
✔ Loaded image cti_cti:latest ✔ Vulnerability DB [no update available] ✔ Parsed image sha256:6f8374513a25632d47859b454246528fa99071f27d85dfae3fa875df2ec7b971 ✔ Cataloged contents bc3b9f7b90943b4131423068d8facd43b61cd030c73695acf5f5407f8da119bf ├── ✔ Packages [192 packages] ├── ✔ File digests [3,317 files] ├── ✔ File metadata [3,317 locations] └── ✔ Executables [884 executables] ✔ Scanned for vulnerabilities [67 vulnerability matches] ├── by severity: 0 critical, 1 high, 19 medium, 40 low, 7 negligible └── by status: 24 fixed, 43 not-fixed, 0 ignored { "vulnerability": { "id": "CVE-2022-1271", "dataSource": "nvd", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-1271", "https://access.redhat.com/security/cve/CVE-2022-1271", "https://bugzilla.redhat.com/show_bug.cgi?id=2073310", "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6", "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html", "https://security-tracker.debian.org/tracker/CVE-2022-1271", "https://security.gentoo.org/glsa/202209-01", "https://security.netapp.com/advisory/ntap-20220930-0006/", "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch", "https://www.openwall.com/lists/oss-security/2022/04/07/8", "https://access.redhat.com/security/cve/CVE-2022-1271", "https://bugzilla.redhat.com/show_bug.cgi?id=2073310", "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6", "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html", "https://security-tracker.debian.org/tracker/CVE-2022-1271", "https://security.gentoo.org/glsa/202209-01", "https://security.netapp.com/advisory/ntap-20220930-0006/", "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch", "https://www.openwall.com/lists/oss-security/2022/04/07/8" ], "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": { "baseScore": 8.8, "exploitabilityScore": 2.9, "impactScore": 5.9 }, "vendorMetadata": {} } ], "epss": [ { "cve": "CVE-2022-1271", "epss": 0.07629, "percentile": 0.94292, "date": "2025-03-12" } ], "fix": { "versions": [ "1.12" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2022-1271", "dataSource": "nvd", "namespace": "nvd:cpe", "severity": "High", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-1271", "https://access.redhat.com/security/cve/CVE-2022-1271", "https://bugzilla.redhat.com/show_bug.cgi?id=2073310", "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6", "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html", "https://security-tracker.debian.org/tracker/CVE-2022-1271", "https://security.gentoo.org/glsa/202209-01", "https://security.netapp.com/advisory/ntap-20220930-0006/", "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch", "https://www.openwall.com/lists/oss-security/2022/04/07/8", "https://access.redhat.com/security/cve/CVE-2022-1271", "https://bugzilla.redhat.com/show_bug.cgi?id=2073310", "https://git.tukaani.org/?p=xz.git%3Ba=commit%3Bh=69d1b3fc29677af8ade8dc15dba83f0589cb63d6", "https://lists.gnu.org/r/bug-gzip/2022-04/msg00011.html", "https://security-tracker.debian.org/tracker/CVE-2022-1271", "https://security.gentoo.org/glsa/202209-01", "https://security.netapp.com/advisory/ntap-20220930-0006/", "https://tukaani.org/xz/xzgrep-ZDI-CAN-16587.patch", "https://www.openwall.com/lists/oss-security/2022/04/07/8" ], "description": "An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.", "cvss": [ { "source": "nvd@nist.gov", "type": "Primary", "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "metrics": { "baseScore": 8.8, "exploitabilityScore": 2.9, "impactScore": 5.9 }, "vendorMetadata": {} } ], "epss": [ { "cve": "CVE-2022-1271", "epss": 0.07629, "percentile": 0.94292, "date": "2025-03-12" } ] } ], "matchDetails": [ { "type": "cpe-match", "matcher": "stock-matcher", "searchedBy": { "namespace": "nvd:cpe", "cpes": [ "cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*" ], "package": { "name": "gzip", "version": "1.10" } }, "found": { "vulnerabilityID": "CVE-2022-1271", "versionConstraint": "< 1.12 (unknown)", "cpes": [ "cpe:2.3:a:gnu:gzip:*:*:*:*:*:*:*:*" ] }, "fix": { "suggestedVersion": "1.12" } } ], "artifact": { "id": "acbe1c441587db3e", "name": "gzip", "version": "1.10", "type": "binary", "locations": [ { "path": "/usr/bin/gzip", "layerID": "sha256:270a1170e7e398434ff1b31e17e233f7d7b71aa99a40473615860068e86720af", "accessPath": "/usr/bin/gzip", "annotations": { "evidence": "primary" } } ], "language": "", "licenses": [], "cpes": [ "cpe:2.3:a:gnu:gzip:1.10:*:*:*:*:*:*:*" ], "purl": "pkg:generic/gzip@1.10", "upstreams": [] } }
- By executing the command
Environment:
- Output of
grype version:Application: grype Version: 0.89.0 BuildDate: 2025-03-06T22:15:44Z GitCommit: 1bf47c38bede40dea7b72bbe4712191820f1aa15 GitDescription: v0.89.0 Platform: linux/amd64 GoVersion: go1.24.1 Compiler: gc Syft Version: v1.20.0 Supported DB Schema: 6
- OS (e.g:
cat /etc/os-releaseor similar):PRETTY_NAME="Ubuntu 22.04.5 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.5 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy