Debian Package Tracker
Register | Log in
Subscribe

gzip

GNU compression utilities

Choose email to subscribe with

general
  • source: gzip (main)
  • version: 1.13-1
  • maintainer: Milan Kupcevic (DMD)
  • arch: any
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1.10-4+deb11u1
  • o-o-sec: 1.10-4+deb11u1
  • oldstable: 1.12-1
  • stable: 1.13-1
  • testing: 1.13-1
  • unstable: 1.13-1
  • exp: 1.14-1~exp2
versioned links
  • 1.10-4+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.12-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.13-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1.14-1~exp2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • gzip (31 bugs: 0, 8, 23, 0)
action needed
A new upstream version is available: 1.14 high
A new upstream version 1.14 is available, you should consider packaging it.
Created: 2025-11-27 Last update: 2026-07-03 00:30
2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:
  • CVE-2026-41991: GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
  • CVE-2026-41992: GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Created: 2026-06-30 Last update: 2026-06-30 10:02
2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:
  • CVE-2026-41991: GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
  • CVE-2026-41992: GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Created: 2026-06-30 Last update: 2026-06-30 10:02
2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:
  • CVE-2026-41991: GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
  • CVE-2026-41992: GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Created: 2026-06-30 Last update: 2026-06-30 10:02
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2026-41991: GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
  • CVE-2026-41992: GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Created: 2026-06-30 Last update: 2026-06-30 10:02
3 bugs tagged patch in the BTS normal
The BTS contains patches fixing 3 bugs, consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-03 02:30
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-41991: (needs triaging) GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269
  • CVE-2026-41992: (needs triaging) GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-30 Last update: 2026-06-30 10:02
debian/patches: 2 patches to forward upstream low

Among the 2 debian patches available in version 1.13-1 of the package, we noticed the following issues:

  • 2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-01-17 17:00
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.0).
Created: 2025-02-21 Last update: 2026-03-31 15:01
news
[rss feed]
  • [2025-04-13] Accepted gzip 1.14-1~exp2 (source) into experimental (Milan Kupcevic)
  • [2025-04-12] Accepted gzip 1.14-1~exp1 (source) into experimental (Milan Kupcevic)
  • [2025-04-06] Accepted gzip 1.13.56~e549-1~exp1 (source) into experimental (Milan Kupcevic)
  • [2025-01-19] gzip 1.13-1 MIGRATED to testing (Debian testing watch)
  • [2025-01-17] Accepted gzip 1.13-1 (source) into unstable (Milan Kupcevic)
  • [2024-12-12] gzip 1.12-1.2 MIGRATED to testing (Debian testing watch)
  • [2024-12-10] Accepted gzip 1.12-1.2 (source) into unstable (Helmut Grohne)
  • [2024-03-17] gzip 1.12-1.1 MIGRATED to testing (Debian testing watch)
  • [2024-03-14] Accepted gzip 1.12-1.1 (source) into unstable (Helmut Grohne)
  • [2022-04-22] Accepted gzip 1.10-4+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Milan Kupcevic)
  • [2022-04-22] Accepted gzip 1.9-3+deb10u1 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Debian FTP Masters) (signed by: Milan Kupcevic)
  • [2022-04-18] Accepted gzip 1.10-4+deb11u1 (source) into stable-security->embargoed, stable-security (Debian FTP Masters) (signed by: Milan Kupcevic)
  • [2022-04-18] Accepted gzip 1.9-3+deb10u1 (source) into oldstable->embargoed, oldstable (Debian FTP Masters) (signed by: Milan Kupcevic)
  • [2022-04-12] gzip 1.12-1 MIGRATED to testing (Debian testing watch)
  • [2022-04-10] Accepted gzip 1.6-5+deb9u1 (source) into oldoldstable (Utkarsh Gupta)
  • [2022-04-10] Accepted gzip 1.12-1 (source) into unstable (Milan Kupcevic)
  • [2021-03-10] gzip 1.10-4 MIGRATED to testing (Debian testing watch)
  • [2021-03-03] Accepted gzip 1.10-4 (source) into unstable (Milan Kupcevic)
  • [2021-02-27] Accepted gzip 1.10-3 (source) into unstable (Milan Kupcevic)
  • [2020-03-22] gzip 1.10-2 MIGRATED to testing (Debian testing watch)
  • [2020-03-19] Accepted gzip 1.10-2 (source) into unstable (Bdale Garbee)
  • [2020-02-28] gzip 1.10-1 MIGRATED to testing (Debian testing watch)
  • [2020-02-26] Accepted gzip 1.10-1 (source) into unstable (Bdale Garbee)
  • [2019-01-08] gzip 1.9-3 MIGRATED to testing (Debian testing watch)
  • [2019-01-05] Accepted gzip 1.9-3 (source amd64 all) into unstable (Bdale Garbee)
  • [2019-01-04] Accepted gzip 1.9-2.2 (source) into unstable (Niels Thykier)
  • [2018-10-10] gzip 1.9-2.1 MIGRATED to testing (Debian testing watch)
  • [2018-10-04] Accepted gzip 1.9-2.1 (source) into unstable (Andreas Henriksson)
  • [2018-08-10] gzip 1.9-2 MIGRATED to testing (Debian testing watch)
  • [2018-08-05] Accepted gzip 1.9-2 (source amd64 all) into unstable (Bdale Garbee)
  • 1
  • 2
bugs [bug history graph]
  • all: 30 31
  • RC: 0
  • I&N: 8
  • M&W: 22 23
  • F&P: 0
  • patch: 3
links
  • homepage
  • lintian
  • buildd: logs, exp, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1.14-1~exp2ubuntu2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing