Leenear via "GNU gzip discussion and bug reports." <[email protected]> writes:
> Hello, > > I have identified a command injection vulnerability in the zdiff script (gzip > 1.12). > > The issue occurs because the script uses eval to process the argument passed > to the -C flag without proper sanitization. > > Reproduction: > > touch dummy1.gz dummy2.gz > zdiff -C > > "';id;'" > > dummy1.gz dummy2.gz > > Observed Output: > > diff: missing operand after '' > uid=1000(sland) gid=1000(sland) groups=1000(sland)... > /usr/bin/zdiff: 1: eval: : Permission denied > > Analysis: > > The -C flag handling in zdiff is broken and allows for arbitrary command > execution due to unsafe eval usage. Thanks for the report. I have attached a patch to fix that specific case. I'm tempted to rewrite these scripts as actual programs, otherwise I feel that we will get endless reports about issues like this. Generally, I feel like these are mostly harmless though. I doubt anyone is passing user input to a shell to invoke 'zdiff'. Collin
>From 3d995211c941b02fc16915cca27fd16d146dd724 Mon Sep 17 00:00:00 2001 Message-ID: <3d995211c941b02fc16915cca27fd16d146dd724.1776842003.git.collin.fu...@gmail.com> From: Collin Funk <[email protected]> Date: Wed, 22 Apr 2026 00:10:37 -0700 Subject: [PATCH] zdiff: escape arguments given to short options * zdiff.in: Escape $arg. --- zdiff.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zdiff.in b/zdiff.in index 53266df..8262c44 100644 --- a/zdiff.in +++ b/zdiff.in @@ -72,7 +72,7 @@ do *) printf >&2 '%s\n' "$0: extra operand '$arg'"; exit 2;; esac;; esac;; - *) cmp="$cmp $needop '$arg'" + *) cmp="$cmp $needop '"`printf '%sX\n' "$arg" | LC_ALL=C sed "$escape"` needop=;; esac;; esac -- 2.53.0
