Source: zlib Followup-For: Bug #1054290 X-Debbugs-Cc: david.dooling+deb...@docker.com, car...@debian.org, Debian Security Team <t...@security.debian.org>
On Fri, 03 Nov 2023 14:26:54 +0000, I wrote: > A few packages referenced 'quazip' - a fork of minizip. Of those, only > 1 (one) appears to support 64-bit zip files, and it does look like it has > the vulnerability too. > > For 3 (three) of the remaining packages, I'm uncertain whether copied code > that > looks like older versions minizip is in fact vulnerable; those are the > 'magics++' and 'widelands' packages, where 64-bit zip support appears > incomplete or missing, and 'gdal', where the code appears to be part of a > library called 'CPL' that may have shared some lineage with minizip. Please note: both of those paragraphs I wrote mention 64-bit zipfile support, because I thought that that could be a prerequisite for the vulnerability (an integer overflow). However: I'm not really sure whether that's true or not.