On Wed, Apr 22, 2026 at 12:22 AM Collin Funk <[email protected]> wrote:
> Leenear via "GNU gzip discussion and bug reports." <[email protected]> > writes: > > > Hello, > > > > I have identified a command injection vulnerability in the zdiff script > (gzip 1.12). > > > > The issue occurs because the script uses eval to process the argument > passed to the -C flag without proper sanitization. > > > > Reproduction: > > > > touch dummy1.gz dummy2.gz > > zdiff -C "';id;'" dummy1.gz dummy2.gz > > > > Observed Output: > > > > diff: missing operand after '' > > uid=1000(sland) gid=1000(sland) groups=1000(sland)... > > /usr/bin/zdiff: 1: eval: : Permission denied > > > > Analysis: > > > > The -C flag handling in zdiff is broken and allows for arbitrary command > execution due to unsafe eval usage. > > Thanks for the report. > > I have attached a patch to fix that specific case. I'm tempted to > rewrite these scripts as actual programs, otherwise I feel that we will > get endless reports about issues like this. Generally, I feel like these > are mostly harmless though. I doubt anyone is passing user input to a > shell to invoke 'zdiff'. > Thank you for the patch. I've applied it, with a small addition to attribute via THANKS. I've attached that and the added test case in a separate commit below.
gzip-zdiff-abuse.diff
Description: Binary data
