Source: gzip
Version: 1.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for gzip.

CVE-2026-41992[0]:
| GNU gzip contains a global buffer overflow vulnerability in the LZH
| decompression logic caused by improper reuse of shared global state
| between different decompression formats within a single execution.
| GNU gzip maintains a global array that is shared across the LZ77,
| LZW, and LZH decompression routines and is not reinitialized between
| files processed in the same invocation. By decompressing a specially
| crafted LZW file followed by a specially crafted LZH file in a
| single gzip -d command, an attacker can poison the shared global
| state and subsequently trigger an out‑of‑bounds read in the LZH
| decoder. The LZH decompression logic follows stale values left in
| the shared array, causing reads past the end of the allocated global
| buffer.  This issue has been fixed in the commit
| 63dbf6b3b9e6e781df1a6a64e609b10e23969681


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41992
    https://www.cve.org/CVERecord?id=CVE-2026-41992
[1] 
https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=63dbf6b3b9e6e781df1a6a64e609b10e23969681

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to