Bug#1067451: libzip: please update to 1.10.1
Package: libzip Version: 1.7.3-1.1 Upstream here. The libzip package in Debian is quite outdated (a release from 2020), can you please update it to the latest version (1.10.1 right now, from August 2023)? We take care that libzip is backwards-compatible, so the update should be painless. Let me know if it isn't! Thanks, Thomas
Bug#874010: libzip: CVE-2017-14107: memory allocation failure in _zip_cdir_grow (zip_dirent.c)
libzip-1.3.0 fixing this and another CVE is now available. Thomas On Fri, Sep 01, 2017 at 11:14:02PM +0200, Salvatore Bonaccorso wrote: > Source: libzip > Version: 0.11.2-1.2 > Severity: important > Tags: security upstream patch fixed-upstream > > Hi, > > the following vulnerability was published for libzip. > > CVE-2017-14107[0]: > | The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 > | mishandles EOCD records, which allows remote attackers to cause a > | denial of service (memory allocation failure in _zip_cdir_grow in > | zip_dirent.c) via a crafted ZIP archive. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2017-14107 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14107 > [1] > https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ > [2] > https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5 > > Regards, > Salvatore >
Bug#662083: libzip: FTBFS on hurd-i386 (fixed ENOENT number in tests)
This has been fixed differently in the latest libzip release -- the code returns error 9 now, errno is not printed, see http://hg.nih.at/libzip/file/54229f050761/regress/open_nosuchfile.test Thomas
Bug#784684: ziptorrent crashes with doublefree on git-archive produced zip files
ziptorrent has been removed from libzip. The file format needs particular zlib/deflate settings that have been hard to reproduce across operating systems. For this reason, the ziptorrent files created by the ziptorrent program were not always the same. Please remove the ziptorrent package from Debian. Thomas
Bug#691310: bug in zip_add(3)
I think this bug is fixed since libzip-0.11.2. Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#739308: libzip-dev: include file in wrong place
Hi! Upstream here. I found this bug report. We've put the header file in lib by purpose, because e.g. for multilib installations, /usr/include must be portable over all architectures; so architecture or machine-specific files must be somewhere else. One convention for that is ${PREFIX}/lib/${PROGRAMNAME}/include, which for example glib2 also follows. Users are expected to use pkg-config. I don't really care if Debian adds a symlink in /usr/include, except that programmers working on Debian might think that they don't have to use pkg-config and make it harder to port their programs to other platforms. Cheers, Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684193: Command names for Simon Tatham's puzzles
On Mon, Aug 13, 2012 at 10:24:23AM +0200, Jakob Gruber wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/13/2012 01:36 AM, Ben Hutchings wrote: I would be happy to rename the commands like this, but: 1. I would like you to include the command prefix as an option in your own releases, including the documentation change. 2. I would like to get some cross-distribution consensus on this, so that the various packages converge rather than further diverging. Agreed, sounds good. I'm also thinking of renaming the package to sgt-puzzles as soon as this happens. This all sounds fine to me. I have two more requests: Please maintain a NEWS file so that I don't have to trawl the commit logs for changes; and release official tarballs every few months or years, with a proper version number. Thanks, Thomas -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org