Arbitrary file overwrite via insecure temporary file handling in gzexe utility
Summary
GNU gzip contains a vulnerability in the gzexe utility related to insecure temporary file handling. When the mktemp utility is not available in the user’s PATH, gzexe falls back to constructing a temporary file path based solely on the process ID (PID). This predictable filename is created without exclusive access or existence checks. A local attacker can pre‑create the predicted temporary file path as a symbolic link pointing to an arbitrary file writable by the victim. When gzexe runs, it follows the symlink and overwrites the target file, resulting in a time‑of‑check to time‑of‑use (TOCTOU) condition that allows arbitrary file overwrite. This issue has been fixed in the commit 4e6f8b24ab823146ab8776f0b7fe486ab34d4269 A flaw was found in the `gzexe` utility of GNU `gzip`. When the `mktemp` utility is not available, `gzexe` creates temporary files with predictable names based on the process ID. A local attacker can exploit this by pre-creating a symbolic link to an arbitrary file at the predicted temporary file path. This can lead to a Time-of-Check to Time-of-Use (TOCTOU) condition, allowing the attacker to overwrite arbitrary files on the system. A flaw was found in the gzexe utility of GNU gzip. When the mktemp utility is not available in the user's PATH, gzexe creates temporary files with predictable names based on the process ID. A local attacker can exploit this by creating a symbolic link at the predicted temporary file path, leading to a TOCTOU race condition that allows arbitrary file overwrite. On Red Hat Enterprise Linux, mktemp is provided by coreutils which is always installed, making the vulnerable fallback code path effectively unreachable in standard deployments. Red Hat severity: Moderate — CVSS 6 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H). Weakness: CWE-59. Fixed by RHSA-2026:33771 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- gzip-main-1.14-2.2.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- gzip-main-1.14-2.2.hum1
- RHSA-2026:33771
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Ensure that the mktemp utility (provided by the coreutils package) is available in PATH when using the gzexe utility. On Red Hat Enterprise Linux, mktemp is installed by default and no additional action is needed.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.