Source: gzip Version: 1.13-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gzip. CVE-2026-41992[0]: | GNU gzip contains a global buffer overflow vulnerability in the LZH | decompression logic caused by improper reuse of shared global state | between different decompression formats within a single execution. | GNU gzip maintains a global array that is shared across the LZ77, | LZW, and LZH decompression routines and is not reinitialized between | files processed in the same invocation. By decompressing a specially | crafted LZW file followed by a specially crafted LZH file in a | single gzip -d command, an attacker can poison the shared global | state and subsequently trigger an out‑of‑bounds read in the LZH | decoder. The LZH decompression logic follows stale values left in | the shared array, causing reads past the end of the allocated global | buffer. This issue has been fixed in the commit | 63dbf6b3b9e6e781df1a6a64e609b10e23969681 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-41992 https://www.cve.org/CVERecord?id=CVE-2026-41992 [1] https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=63dbf6b3b9e6e781df1a6a64e609b10e23969681 Please adjust the affected versions in the BTS as needed. Regards, Salvatore

