GNU bug report logs - #54772
gzip-1.12 released [stable]

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54772 in the body.
You can then email your comments to 54772 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: info-gnu <at> gnu.org
Cc: bug-gzip <at> gnu.org
Subject: gzip-1.12 released [stable]
Date: Thu, 07 Apr 2022 10:12:17 -0700

[Message part 1 (text/plain, inline)]

Thanks to Paul Eggert and Lasse Collin for all the work
on fixing the exploitable zgrep bug, and to Paul for
handling most of the other changes.

Here are the compressed sources:
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz   (1.3MB)
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz   (808KB)

Here are the GPG detached signatures[*]:
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz.sig
  https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA1 and SHA256 checksums:

91fa501ada319c4dc8f796208440d45a3f48ed13  gzip-1.12.tar.gz
W0+xTTgxTgny/IocUQ581UCj6g4+ubBCAEa4LDv0EIU  gzip-1.12.tar.gz
318107297587818c8f1e1fbb55962f4b2897bc0b  gzip-1.12.tar.xz
zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY  gzip-1.12.tar.xz

The SHA256 checksum is base64 encoded, instead of the
hexadecimal encoding that most checksum tools default to.

[*] Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify gzip-1.12.tar.gz.sig

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to update
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key jim <at> meyering.net

  gpg --recv-keys 7FD9FCCB000BEEEE

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=gzip&download=1' | gpg --import -

This release was bootstrapped with the following tools:
  Autoconf 2.71
  Automake 1.16d
  Gnulib v0.1-5194-g58c597d13b

NEWS

* Noteworthy changes in release 1.12 (2022-04-07) [stable]

** Changes in behavior

  'gzip -l' no longer misreports file lengths 4 GiB and larger.
  Previously, 'gzip -l' output the 32-bit value stored in the gzip
  header even though that is the uncompressed length modulo 2**32.
  Now, 'gzip -l' calculates the uncompressed length by decompressing
  the data and counting the resulting bytes.  Although this can take
  much more time, nowadays the correctness pros seem to outweigh the
  performance cons.

  'zless' is no longer installed on platforms lacking 'less'.

** Bug fixes

  zgrep applied to a crafted file name with two or more newlines
  can no longer overwrite an arbitrary, attacker-selected file.
  [bug introduced in gzip-1.3.10]

  zgrep now names input file on error instead of mislabeling it as
  "(standard input)", if grep supports the GNU -H and --label options.

  'zdiff -C 5' no longer misbehaves by treating '5' as a file name.
  [bug present since the beginning]

  Configure-time options like --program-prefix now work.


Also posted here:
  https://savannah.gnu.org/forum/forum.php?forum_id=10157

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.