new file mode 100644
@@ -0,0 +1,86 @@
+From 661918c7c0d5acf52508107d6bcdeb72a526ce52 Mon Sep 17 00:00:00 2001
+From: Paul Eggert <eggert@cs.ucla.edu>
+Date: Thu, 16 Apr 2026 12:11:44 -0700
+Subject: [PATCH] gzexe: use -C if lacking mktemp
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(Problem reported by Michał Majchrowicz.)
+* gzexe.in: If mktemp is needed but not installed,
+use ‘set -C’ to avoid a race when creating a temporary file.
+* zdiff.in: Use the same pattern here, even though the old
+code was probably OK anyway.
+
+CVE: CVE-2026-41991
+Upstream-Status: Backport [https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269]
+Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech>
+---
+ NEWS | 13 +++++++++----
+ gzexe.in | 1 +
+ zdiff.in | 7 +++----
+ 3 files changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 881b6b6..3a05d7e 100644
+--- a/NEWS
++++ b/NEWS
+@@ -4,10 +4,6 @@ GNU gzip NEWS -*- outline -*-
+
+ ** Bug fixes
+
+- A buffer overflow has been fixed when decompressing an .lzh file
+- after decompressing a .Z file.
+- [bug present since the beginning]
+-
+ 'gzip -d' no longer omits the last partial output buffer when the
+ input ends unexpectedly on an IBM Z platform.
+ [bug introduced in gzip-1.11]
+@@ -18,6 +14,15 @@ GNU gzip NEWS -*- outline -*-
+ 'gzip -S' now rejects suffixes containing '/'.
+ [bug present since the beginning]
+
++ A buffer overflow has been fixed when decompressing an .lzh file
++ after decompressing a .Z file.
++ [bug present since the beginning]
++
++ On old-fashioned or limited platforms lacking mktemp, gzexe and
++ zdiff no longer have a race when creating a temporary file.
++ [bug present since the beginning]
++
++
+ ** Changes in behavior
+
+ The GZIP environment variable is now silently ignored except for the
+diff --git a/gzexe.in b/gzexe.in
+index 1267d6e..09a2571 100644
+--- a/gzexe.in
++++ b/gzexe.in
+@@ -127,6 +127,7 @@ for i do
+ tmp=`mktemp "${dir}gzexeXXXXXXXXX"`
+ else
+ tmp=${dir}gzexe$$
++ (umask 77; set -C; > "$tmp")
+ fi && { cp -p "$file" "$tmp" 2>/dev/null || cp "$file" "$tmp"; } || {
+ res=$?
+ printf >&2 '%s\n' "$0: cannot copy $file"
+diff --git a/zdiff.in b/zdiff.in
+index a8689a0..c04a8c0 100644
+--- a/zdiff.in
++++ b/zdiff.in
+@@ -156,12 +156,11 @@ case $file2 in
+ *) TMPDIR=/tmp/;;
+ esac
+ if command -v mktemp >/dev/null 2>&1; then
+- tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"` ||
+- exit 2
++ tmp=`mktemp "${TMPDIR}zdiffXXXXXXXXX"`
+ else
+- set -C
+ tmp=${TMPDIR}zdiff$$
+- fi
++ (umask 77; set -C; > "$tmp")
++ fi &&
+ 'gzip' -cdfq -- "$file2" > "$tmp" || exit 2
+ gzip_status=$(
+ exec 4>&1
@@ -7,6 +7,7 @@ LICENSE = "GPL-3.0-or-later"
SRC_URI = "${GNU_MIRROR}/gzip/${BP}.tar.gz \
file://run-ptest \
file://CVE-2026-41992.patch \
+ file://CVE-2026-41991.patch \
"
SRC_URI:append:class-target = " file://wrong-path-fix.patch"
This patch applies the upstream fix as referenced in [1], using the commit shown in [2]. [1] https://nvd.nist.gov/vuln/detail/CVE-2026-41991 [2] https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=4e6f8b24ab823146ab8776f0b7fe486ab34d4269 Adapted for gzip 1.14: - Refreshed NEWS hunks to match 1.14 release context. Signed-off-by: Jaipaul Cheernam <jaipaul.cheernam@est.tech> --- .../gzip/gzip-1.14/CVE-2026-41991.patch | 86 +++++++++++++++++++ meta/recipes-extended/gzip/gzip_1.14.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-extended/gzip/gzip-1.14/CVE-2026-41991.patch