gzip: security fixes

Fixes #536998
This commit is contained in:
Michael Daniels 2026-07-01 17:48:40 -04:00
commit a7a6bd99a2
No known key found for this signature in database
3 changed files with 92 additions and 0 deletions

View file

@ -0,0 +1,52 @@
From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 16 Apr 2026 12:11:44 -0700
Subject: gzexe: use -C if lacking mktemp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
(Problem reported by Michał Majchrowicz.)
* gzexe.in: If mktemp is needed but not installed,
use set -C to avoid a race when creating a temporary file.
* zdiff.in: Use the same pattern here, even though the old
code was probably OK anyway.
---
gzexe.in | 1 +
zdiff.in | 7 +++----
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/gzexe.in b/gzexe.in
index ea4ef94..f3d46cc 100644
--- a/gzexe.in
+++ b/gzexe.in
@@ -127,6 +127,7 @@ for i do
tmp=`mktemp "${dir}gzexeXXXXXXXXX"`
else
tmp=${dir}gzexe$$
+ (umask 77; set -C; > "$tmp")
fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || {
res=$?
printf >&2 '%s\n' "$0: cannot copy $file"
diff --git a/zdiff.in b/zdiff.in
index 289e466..53266df 100644
--- a/zdiff.in
+++ b/zdiff.in
@@ -156,12 +156,11 @@ case $file2 in
*) TMPDIR=/tmp/;;
esac
if command -v mktemp >/dev/null 2>&1; then
- tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` ||
- exit 2
+ tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"`
else
- set -C
tmp=${TMPDIR}zdiff$$
- fi
+ (umask 77; set -C; > "$tmp")
+ fi &&
'gzip' -cdfq -- "$file2" > "$tmp" || exit 2
gzip_status=$(
exec 4>&1
--
cgit v1.2.3

View file

@ -0,0 +1,35 @@
From 63dbf6b3b9e6e781df1a6a64e609b10e23969681 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 15 Apr 2026 12:00:17 -0700
Subject: gzip: dont mishandle .lzh after .Z
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Problem reported by Michał Majchrowicz.
* unlzh.c (read_c_len): Clear left and right when n == 0.
---
unlzh.c | 6 ++++++
1 file changed, 6 insertions(+)
(limited to 'unlzh.c')
diff --git a/unlzh.c b/unlzh.c
index 3320196..a6cf109 100644
--- a/unlzh.c
+++ b/unlzh.c
@@ -232,6 +232,12 @@ read_c_len ()
c = getbits(CBIT);
for (i = 0; i < NC; i++) c_len[i] = 0;
for (i = 0; i < 4096; i++) c_table[i] = c;
+
+ /* Needed in case LEFT and RIGHT are reused from a previous
+ LZW decompression. It may be overkill to clear all of both
+ arrays, but nobody has had time to analyze this carefully. */
+ memzero(left, (2 * NC - 1) * sizeof *left);
+ memzero(right, (2 * NC - 1) * sizeof *left);
} else {
i = 0;
while (i < n) {
--
cgit v1.3

View file

@ -25,6 +25,11 @@ stdenv.mkDerivation (finalAttrs: {
hash = "sha256-Aae4gb0iC/32Ffl7hxj4C9/T9q3ThbmT3Pbv0U6MCsY=";
};
patches = [
./CVE-2026-41991.patch
./CVE-2026-41992.patch
];
outputs = [
"out"
"man"