Source: gzip
Version: 1.13-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for gzip.

CVE-2026-41991[0]:
| GNU gzip contains a vulnerability in the gzexe utility related to
| insecure temporary file handling. When the mktemp utility is not
| available in the user’s PATH, gzexe falls back to constructing a
| temporary file path based solely on the process ID (PID). This
| predictable filename is created without exclusive access or
| existence checks. A local attacker can pre‑create the predicted
| temporary file path as a symbolic link pointing to an arbitrary file
| writable by the victim. When gzexe runs, it follows the symlink and
| overwrites the target file, resulting in a time‑of‑check to
| time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite.
| This issue has been fixed in the commit
| 4e6f8b24ab823146ab8776f0b7fe486ab34d4269


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-41991
    https://www.cve.org/CVERecord?id=CVE-2026-41991
[1] 
https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to