From eaab405542a34e79989ad499eb5f65d82fa36c93 Mon Sep 17 00:00:00 2001
From: Collin Funk <collin.funk1@gmail.com>
Date: Wed, 22 Apr 2026 00:10:37 -0700
Subject: [PATCH 1/2] zdiff: escape arguments given to short options

* zdiff.in: Escape $arg.
Reported in https://bugs.gnu.org/80882
* THANKS: Update.
---
 THANKS   | 1 +
 zdiff.in | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/THANKS b/THANKS
index a7d25e4..20ab787 100644
--- a/THANKS
+++ b/THANKS
@@ -325,3 +325,4 @@ Denys Zagorui		denys.zagorui@globallogic.com
 Jamie Zawinski          jwz@lucid.com
 Yuxi Zhang		YZhang@qnx.com
 Christos Zoulas         christos@deshaw.com
+Leenear                 Leenear@proton.me
diff --git a/zdiff.in b/zdiff.in
index 53266df..8262c44 100644
--- a/zdiff.in
+++ b/zdiff.in
@@ -72,7 +72,7 @@ do
             *) printf >&2 '%s\n' "$0: extra operand '$arg'"; exit 2;;
             esac;;
          esac;;
-     *) cmp="$cmp $needop '$arg'"
+     *) cmp="$cmp $needop '"`printf '%sX\n' "$arg" | LC_ALL=C sed "$escape"`
         needop=;;
      esac;;
   esac
-- 
2.54.0


From bd371636f4ebc6bc009c1ff26e5fcf0d71c5469a Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@meta.com>
Date: Wed, 22 Apr 2026 20:51:40 -0700
Subject: [PATCH 2/2] tests: test for the latest fix

* tests/zdiff-abuse: New file.
* tests/Makefile.am (TESTS): Add it.
---
 tests/Makefile.am |  1 +
 tests/zdiff-abuse | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100755 tests/zdiff-abuse

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 04158d1..0e94b48 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -40,6 +40,7 @@ TESTS =					\
   write-error				\
   z-suffix				\
   zdiff					\
+  zdiff-abuse				\
   zgrep-f				\
   zgrep-abuse				\
   zgrep-binary				\
diff --git a/tests/zdiff-abuse b/tests/zdiff-abuse
new file mode 100755
index 0000000..2e548c1
--- /dev/null
+++ b/tests/zdiff-abuse
@@ -0,0 +1,33 @@
+#!/bin/sh
+# Ensure zdiff doesn't execute injected commands via -C option.
+# Before the fix, the eval in zdiff would execute arbitrary commands
+# when a crafted argument was passed to a short option like -C.
+
+# Copyright (C) 2026 Free Software Foundation, Inc.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+. "${srcdir=.}/init.sh"; path_prepend_ ..
+
+echo x | gzip > a.gz || framework_failure_
+cp a.gz b.gz || framework_failure_
+
+fail=0
+
+# Before the fix, this would run "id > hacked".
+zdiff -C "';id > hacked;'" a.gz b.gz 2>/dev/null; st=$?
+
+test -f hacked && fail=1
+
+Exit $fail
-- 
2.54.0