Ugh, seriously? This is such basic shell escape security. Also: vim gets yet another sec update. Begin forwarded message: -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2022-6b512ae9e5 2022-04-30 18:40:14.825912 -------------------------------------------------------------------------------- Name : gzip Update Information: zgrep applied to a crafted file name with two or more newlines can no longer overwrite an arbitrary, attacker-selected file. reproducer: $ touch foo.gz $ echo foo | gzip > "$(printf '|\n;e touch pwned\n#.gz')" $ zgrep foo *.gz (the unfixed version of zgrep creates the file called pwned)