diff --git a/pkgs/tools/compression/gzip/CVE-2026-41991.patch b/pkgs/tools/compression/gzip/CVE-2026-41991.patch new file mode 100644 index 000000000000..657d8553bcd2 --- /dev/null +++ b/pkgs/tools/compression/gzip/CVE-2026-41991.patch @@ -0,0 +1,52 @@ +From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 16 Apr 2026 12:11:44 -0700 +Subject: gzexe: use -C if lacking mktemp +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +(Problem reported by Michał Majchrowicz.) +* gzexe.in: If mktemp is needed but not installed, +use ‘set -C’ to avoid a race when creating a temporary file. +* zdiff.in: Use the same pattern here, even though the old +code was probably OK anyway. +--- + gzexe.in | 1 + + zdiff.in | 7 +++---- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/gzexe.in b/gzexe.in +index ea4ef94..f3d46cc 100644 +--- a/gzexe.in ++++ b/gzexe.in +@@ -127,6 +127,7 @@ for i do + tmp=`mktemp "${dir}gzexeXXXXXXXXX"` + else + tmp=${dir}gzexe$$ ++ (umask 77; set -C; > "$tmp") + fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || { + res=$? + printf >&2 '%s\n' "$0: cannot copy $file" +diff --git a/zdiff.in b/zdiff.in +index 289e466..53266df 100644 +--- a/zdiff.in ++++ b/zdiff.in +@@ -156,12 +156,11 @@ case $file2 in + *) TMPDIR=/tmp/;; + esac + if command -v mktemp >/dev/null 2>&1; then +- tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` || +- exit 2 ++ tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` + else +- set -C + tmp=${TMPDIR}zdiff$$ +- fi ++ (umask 77; set -C; > "$tmp") ++ fi && + 'gzip' -cdfq -- "$file2" > "$tmp" || exit 2 + gzip_status=$( + exec 4>&1 +-- +cgit v1.2.3 diff --git a/pkgs/tools/compression/gzip/CVE-2026-41992.patch b/pkgs/tools/compression/gzip/CVE-2026-41992.patch new file mode 100644 index 000000000000..f7576a2b7872 --- /dev/null +++ b/pkgs/tools/compression/gzip/CVE-2026-41992.patch @@ -0,0 +1,35 @@ +From 63dbf6b3b9e6e781df1a6a64e609b10e23969681 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Wed, 15 Apr 2026 12:00:17 -0700 +Subject: gzip: don’t mishandle .lzh after .Z +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Problem reported by Michał Majchrowicz. +* unlzh.c (read_c_len): Clear left and right when n == 0. +--- + unlzh.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +(limited to 'unlzh.c') + +diff --git a/unlzh.c b/unlzh.c +index 3320196..a6cf109 100644 +--- a/unlzh.c ++++ b/unlzh.c +@@ -232,6 +232,12 @@ read_c_len () + c = getbits(CBIT); + for (i = 0; i < NC; i++) c_len[i] = 0; + for (i = 0; i < 4096; i++) c_table[i] = c; ++ ++ /* Needed in case LEFT and RIGHT are reused from a previous ++ LZW decompression. It may be overkill to clear all of both ++ arrays, but nobody has had time to analyze this carefully. */ ++ memzero(left, (2 * NC - 1) * sizeof *left); ++ memzero(right, (2 * NC - 1) * sizeof *left); + } else { + i = 0; + while (i < n) { +-- +cgit v1.3 diff --git a/pkgs/tools/compression/gzip/default.nix b/pkgs/tools/compression/gzip/default.nix index 446e5fab0af8..6aafcf6481df 100644 --- a/pkgs/tools/compression/gzip/default.nix +++ b/pkgs/tools/compression/gzip/default.nix @@ -25,6 +25,11 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Aae4gb0iC/32Ffl7hxj4C9/T9q3ThbmT3Pbv0U6MCsY="; }; + patches = [ + ./CVE-2026-41991.patch + ./CVE-2026-41992.patch + ]; + outputs = [ "out" "man"