Hello, I realize that this report is now publicly viewable on the GNU Debbugs tracker.
Given that this is an exploitable Command Injection vulnerability in a widely used utility (affecting both zgrep and zdiff in version 1.12), I am concerned about public disclosure before a patch is available. Is it possible to restrict public access to this report or move the discussion to a private security list until a fix is released to the distributions? Best regards, Leenear
