diff options
| author | Peter Hutterer <peter.hutterer@who-t.net> | 2023-01-16 19:44:52 +1000 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2023-01-16 10:30:39 -0800 |
| commit | 8178eb0834d82242e1edbc7d4fb0d1b397569c68 (patch) | |
| tree | 98082a6ff7c1ac4124fb0a10c6cecd5e939edf79 /src | |
| parent | c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 (diff) | |
Use gzip -d instead of gunzip
GNU gunzip [1] is a shell script that exec's `gzip -d`. Even if we call
/usr/bin/gunzip with the correct built-in path, the actual gzip call
will use whichever gzip it finds first, making our patch pointless.
Fix this by explicitly calling gzip -d instead.
https://git.savannah.gnu.org/cgit/gzip.git/tree/gunzip.in
[Part of the fix for CVE-2022-4883]
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'src')
| -rw-r--r-- | src/RdFToI.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/RdFToI.c b/src/RdFToI.c index a91d337..141c485 100644 --- a/src/RdFToI.c +++ b/src/RdFToI.c @@ -251,7 +251,7 @@ OpenReadFile( else if ( ext && !strcmp(ext, ".gz") ) { mdata->type = XPMPIPE; - mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GUNZIP, "-qc", "r"); + mdata->stream.file = xpmPipeThrough(fd, XPM_PATH_GZIP, "-dqc", "r"); } else #endif /* z-files */ |