Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package gzip for openSUSE:Factory checked in at 2026-07-02 20:05:33 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gzip (Old) and /work/SRC/openSUSE:Factory/.gzip.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gzip" Thu Jul 2 20:05:33 2026 rev:68 rq:1362945 version:1.14 Changes: -------- --- /work/SRC/openSUSE:Factory/gzip/gzip.changes 2025-04-20 19:56:00.759002952 +0200 +++ /work/SRC/openSUSE:Factory/.gzip.new.1982/gzip.changes 2026-07-02 20:05:35.553371062 +0200 @@ -1,0 +2,9 @@ +Wed Jul 1 10:04:23 UTC 2026 - Marius Grossu <[email protected]> + +- Add CVE-2026-41991.patch: fix insecure temporary file + handling in the gzexe utility (and zdiff) when the mktemp + utility is not available in the user's PATH. Backport of upstream commit + 4e6f8b24ab823146ab8776f0b7fe486ab34d4269. + (CVE-2026-41991, bsc#1269622) + +------------------------------------------------------------------- New: ---- CVE-2026-41991.patch ----------(New B)---------- New: - Add CVE-2026-41991.patch: fix insecure temporary file handling in the gzexe utility (and zdiff) when the mktemp ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gzip.spec ++++++ --- /var/tmp/diff_new_pack.XHUWzs/_old 2026-07-02 20:05:38.397469305 +0200 +++ /var/tmp/diff_new_pack.XHUWzs/_new 2026-07-02 20:05:38.401469444 +0200 @@ -1,7 +1,7 @@ # # spec file for package gzip # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # Copyright (c) 2025 Andreas Stieger <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -35,6 +35,8 @@ Patch7: xz_lzma_zstd.patch Patch8: manpage-no-date.patch Patch9: gzip-1.14-s390x-errno.patch +# PATCH FIX UPSTREAM bsc#1269622 [email protected] CVE-2026-41991 +Patch10: CVE-2026-41991.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: makeinfo @@ -57,6 +59,7 @@ %patch -P 7 -p1 %patch -P 8 -p1 %patch -P 9 -p1 +%patch -P 10 -p1 %build export CFLAGS="%{optflags} -fomit-frame-pointer \ ++++++ CVE-2026-41991.patch ++++++ >From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001 From: Paul Eggert <[email protected]> Date: Thu, 16 Apr 2026 12:11:44 -0700 Subject: [PATCH] gzexe: use -C if lacking mktemp Upstream: https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269 --- gzexe.in | 1 + zdiff.in | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) --- a/gzexe.in +++ b/gzexe.in @@ -127,6 +127,7 @@ tmp=`mktemp "${dir}gzexeXXXXXXXXX"` else tmp=${dir}gzexe$$ + (umask 77; set -C; > "$tmp") fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || { res=$? printf >&2 '%s\n' "$0: cannot copy $file" --- a/zdiff.in +++ b/zdiff.in @@ -156,12 +156,11 @@ *) TMPDIR=/tmp/;; esac if command -v mktemp >/dev/null 2>&1; then - tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` || - exit 2 + tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` else - set -C tmp=${TMPDIR}zdiff$$ - fi + (umask 77; set -C; > "$tmp") + fi && 'gzip' -cdfq -- "$file2" > "$tmp" || exit 2 gzip_status=$( exec 4>&1
