gzip 1.3.9 released

[Paul Eggert]

I'm happy to announce the release of gzip 1.3.9.

gzip (GNU zip) is a popular data compression program written
by Jean-Loup Gailly for the GNU project; Mark Adler wrote
the decompression part.  For more info about gzip, please
see <http://www.gnu.org/software/gzip/>.

This is the first gzip release since gzip 1.2.4 (1993) that
is considered to be stable enough to distribute via
ftp.gnu.org.  This release attempts to fix bugs, mostly
without adding features.  It incorporates patches that
should fix all gzip security vulnerabilities I know of.

Please report any problems to <address@hidden>.

The compressed and uncompressed sources are here:
  ftp://ftp.gnu.org/gnu/gzip/gzip-1.3.9.tar.gz   ( 421 kB)
  ftp://ftp.gnu.org/gnu/gzip/gzip-1.3.9.tar      (1649 kB)

The GPG detached signatures are here:
  ftp://ftp.gnu.org/gnu/gzip/gzip-1.3.9.tar.gz.sig
  ftp://ftp.gnu.org/gnu/gzip/gzip-1.3.9.tar.sig

Here are the MD5 and SHA512 digests:

7cf923b24b718c418e85a283b2260e14  gzip-1.3.9.tar.gz
c3550e5dcb2f4d4671d4ce6b4e0404ef  gzip-1.3.9.tar
47d36f603f12860dc01bae088db869f3d8e6bfc4bbcd2f964283be3c566d2f94cc4aa91eb1a0d958e1cd25549c5400712999d69a67a5efecac9064b1eefd1b4b
  gzip-1.3.9.tar.gz
714ca622bb53cfdb7f5d86434fc2dbbd95c6e56e5b2bdeeb7108cacfd1f268949c106d2f573fac53e4e486b6dbcad695e6d5c491e26970cc93eca77911ff8efb
  gzip-1.3.9.tar

Here are the major changes since gzip 1.2.4.  There are no
major changes since gzip 1.3.8, the last test release.

* Security vulnerabilities

  - Fix many security vulnerabilities, including (but not limited to) the
    vulnerabilities labeled CVE-1999-1332, CVE-2001-1228, CVE-2003-0367,
    CVE-2004-0603, CVE-2004-0970, CVE-2004-1349, CVE-2005-0758,
    CVE-2005-0988, CVE-2005-1228, CVE-2006-4334, CVE-2006-4335,
    CVE-2006-4336, CVE-2006-4337, and CVE-2006-4338 in Mitre's Common
    Vulnerabilities and Exposures list.

  - Refuse to compress setuid or setgid files, or files with the sticky bit.

  - Remove any output symlink before writing the output file.

  - When building gzip, the assembler is now invoked with
    --noexecstack if supported, so that gzip can better resist
    stack-smashing attacks.

* Other robustness fixes for gzip proper

  - Check for read errors when closing files.

  - Catch CPU time and file size limit signals, too.

  - When compressing or decompressing a file, gzip now restores file
    time stamps to the resolution supported by the time-setting
    primitives of the operating system, typically 1 microsecond.
    Formerly it restored them only to the nearest second.

  - gzip -r no longer attempts to reset the last-access times of
    directories it reads, as this messes up when other processes are
    reading the directories.

  - Less output is lost when decompressing a truncated file.

  - Add support for large files, e.g., files larger than 2 GiB on typical
    32-bit platforms.  Adjust file size listing format for files
    larger than 10 GB.

  - Warn about a compressed file's trailing zeros only if verbose,
    for compatibility with GNU tar.

* Other robustness fixes for gzexe

  - Do not assume the working directory can be written.

  - Rely on PATH in the generated executable, as the man page says.

  - Don't assume IFS is sane.

* Other robustness fixes

  - The options --version and --help now work on all gzip-installed
    executables, and now use a format similar to other GNU programs.

  - When exiting due to a signal, exit with the signal's status, not 1.

  - `zcat' is now always called `zcat', not `gzcat'.
    Similarly for `zdiff', `zgrep', `zmore', `znew', `zforce'.

  - Port to current versions of Autoconf, Automake, Gnulib, POSIX, and
    the GNU coding standards for makefiles.

  - `zdiff' now reports exit status like `diff' does.

  - zforce no longer assumes a 14-byte file name length limit.

  - zgrep now supports --, -H, -h, -L, -l, -C, -d, -m and their long
    equivalents.

  - New command zless, which is implemented using less and LESSOPEN.

* The manual is now distributed under the terms of the GNU Free
  Documentation License.