Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package gzip for openSUSE:Factory checked in 
at 2026-07-02 20:05:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gzip (Old)
 and      /work/SRC/openSUSE:Factory/.gzip.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "gzip"

Thu Jul  2 20:05:33 2026 rev:68 rq:1362945 version:1.14

Changes:
--------
--- /work/SRC/openSUSE:Factory/gzip/gzip.changes        2025-04-20 
19:56:00.759002952 +0200
+++ /work/SRC/openSUSE:Factory/.gzip.new.1982/gzip.changes      2026-07-02 
20:05:35.553371062 +0200
@@ -1,0 +2,9 @@
+Wed Jul  1 10:04:23 UTC 2026 - Marius Grossu <[email protected]>
+
+- Add CVE-2026-41991.patch: fix insecure temporary file
+  handling in the gzexe utility (and zdiff) when the mktemp
+  utility is not available in the user's PATH. Backport of upstream commit
+  4e6f8b24ab823146ab8776f0b7fe486ab34d4269.
+  (CVE-2026-41991, bsc#1269622)
+
+-------------------------------------------------------------------

New:
----
  CVE-2026-41991.patch

----------(New B)----------
  New:
- Add CVE-2026-41991.patch: fix insecure temporary file
  handling in the gzexe utility (and zdiff) when the mktemp
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ gzip.spec ++++++
--- /var/tmp/diff_new_pack.XHUWzs/_old  2026-07-02 20:05:38.397469305 +0200
+++ /var/tmp/diff_new_pack.XHUWzs/_new  2026-07-02 20:05:38.401469444 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package gzip
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 # Copyright (c) 2025 Andreas Stieger <[email protected]>
 #
 # All modifications and additions to the file contributed by third parties
@@ -35,6 +35,8 @@
 Patch7:         xz_lzma_zstd.patch
 Patch8:         manpage-no-date.patch
 Patch9:         gzip-1.14-s390x-errno.patch
+# PATCH FIX UPSTREAM bsc#1269622 [email protected] CVE-2026-41991
+Patch10:        CVE-2026-41991.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  makeinfo
@@ -57,6 +59,7 @@
 %patch -P 7 -p1
 %patch -P 8 -p1
 %patch -P 9 -p1
+%patch -P 10 -p1
 
 %build
 export CFLAGS="%{optflags} -fomit-frame-pointer \

++++++ CVE-2026-41991.patch ++++++
>From 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Mon Sep 17 00:00:00 2001
From: Paul Eggert <[email protected]>
Date: Thu, 16 Apr 2026 12:11:44 -0700
Subject: [PATCH] gzexe: use -C if lacking mktemp

Upstream:
https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269
---
 gzexe.in | 1 +
 zdiff.in | 7 +++----
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/gzexe.in
+++ b/gzexe.in
@@ -127,6 +127,7 @@
     tmp=`mktemp "${dir}gzexeXXXXXXXXX"`
   else
     tmp=${dir}gzexe$$
+    (umask 77; set -C; > "$tmp")
   fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || {
     res=$?
     printf >&2 '%s\n' "$0: cannot copy $file"
--- a/zdiff.in
+++ b/zdiff.in
@@ -156,12 +156,11 @@
                           *) TMPDIR=/tmp/;;
                         esac
                         if command -v mktemp >/dev/null 2>&1; then
-                          tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` ||
-                            exit 2
+                          tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"`
                         else
-                          set -C
                           tmp=${TMPDIR}zdiff$$
-                        fi
+                          (umask 77; set -C; > "$tmp")
+                        fi &&
                         'gzip' -cdfq -- "$file2" > "$tmp" || exit 2
                         gzip_status=$(
                           exec 4>&1

Reply via email to