Thanks to Paul Eggert and Lasse Collin for all the work on fixing the exploitable zgrep bug, and to Paul for handling most of the other changes.
Here are the compressed sources: https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz (1.3MB) https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz (808KB) Here are the GPG detached signatures[*]: https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.gz.sig https://ftp.gnu.org/gnu/gzip/gzip-1.12.tar.xz.sig Use a mirror for higher download bandwidth: https://www.gnu.org/order/ftp.html Here are the SHA1 and SHA256 checksums: 91fa501ada319c4dc8f796208440d45a3f48ed13 gzip-1.12.tar.gz W0+xTTgxTgny/IocUQ581UCj6g4+ubBCAEa4LDv0EIU gzip-1.12.tar.gz 318107297587818c8f1e1fbb55962f4b2897bc0b gzip-1.12.tar.xz zl4D5Rn2N+H4FAEazjXE+HszwLur7sNbr1+9NHnpGVY gzip-1.12.tar.xz The SHA256 checksum is base64 encoded, instead of the hexadecimal encoding that most checksum tools default to. [*] Use a .sig file to verify that the corresponding file (without the .sig suffix) is intact. First, be sure to download both the .sig file and the corresponding tarball. Then, run a command like this: gpg --verify gzip-1.12.tar.gz.sig If that command fails because you don't have the required public key, or that public key has expired, try the following commands to update or refresh it, and then rerun the 'gpg --verify' command. gpg --locate-external-key j...@meyering.net gpg --recv-keys 7FD9FCCB000BEEEE wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=gzip&download=1' | gpg --import - This release was bootstrapped with the following tools: Autoconf 2.71 Automake 1.16d Gnulib v0.1-5194-g58c597d13b NEWS * Noteworthy changes in release 1.12 (2022-04-07) [stable] ** Changes in behavior 'gzip -l' no longer misreports file lengths 4 GiB and larger. Previously, 'gzip -l' output the 32-bit value stored in the gzip header even though that is the uncompressed length modulo 2**32. Now, 'gzip -l' calculates the uncompressed length by decompressing the data and counting the resulting bytes. Although this can take much more time, nowadays the correctness pros seem to outweigh the performance cons. 'zless' is no longer installed on platforms lacking 'less'. ** Bug fixes zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. [bug introduced in gzip-1.3.10] zgrep now names input file on error instead of mislabeling it as "(standard input)", if grep supports the GNU -H and --label options. 'zdiff -C 5' no longer misbehaves by treating '5' as a file name. [bug present since the beginning] Configure-time options like --program-prefix now work. Also posted here: https://savannah.gnu.org/forum/forum.php?forum_id=10157
signature.asc
Description: PGP signature