Hi all, Simple summary: gunzip executes any "gzip" executable if the caller adjusts PATH.
$ echo "boom" > gzip $ chmod +x gzip $ PATH="$PWD:$PATH" /usr/bin/gunzip boom We discovered this as part of a fix to libXpm, an library to parse X pixmaps. libXpm forks out to gunzip to decompress an xpm.gz file and any libXpm application can thus be made to exec a random binary by highjacking PATH. Our initial fix was to change this to call /usr/bin/gunzip explicitly (i.e. with the built-in prefix). [1] But since gunzip execs gzip from $PATH, nothing really changes - we now fixed this in libXpm by calling /usr/bin/gzip -d instead [2] Not sure if this is a bug, intentional, or just a "meh, too niche to worry about". Or possibly a combination of all three, I'm happy with either. Cheers, Peter [1] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376 [2] https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68
