Hi Paul, Thank you for the review and fix.
I confirm that withdrawing znew -P addresses the symlink overwrite behavior I reported. I will reference GNU gzip bug#81022 as the upstream fix for this issue. One question: do you expect this to be tracked only as bug#81022, or should a CVE be requested for the fixed vulnerability? I am fine either way and mainly want to make sure downstream references are accurate. Regards, Yazdan Soltani On Tue, May 12, 2026 at 11:46 AM Paul Eggert <[email protected]> wrote: > On 2026-05-11 10:00, Yazdan Soltani wrote: > > I’m following up on the vulnerability report I sent on May 2nd regarding > a > > Security Vulnerability; *znew -P symlink file overwrite in gzip 1.14*. > > Thanks, somehow I missed that. > > I installed the attached patch, which should fix any vulnerability with > znew -P by withdrawing support for that option. Marking the bug as done.
