Source: zlib Followup-For: Bug #1054290 I now think that patching vendored minizip code in libxlsxwriter would not help because it specifies the 'USE_SYSTEM_MINIZIP' define at build-time[1] in combination with a build-time dependency[2] on 'libminizip-dev' to link to the required library functions.
In other words: if-and-when a security update is available in libminizip-dev then libxlsxwriter will benefit from that automatically, and the presence of apparently-vulnerable code within src:libxlsxwriter is irrelevant. [1] - https://sources.debian.org/src/libxlsxwriter/1.1.5-1/debian/rules/#L14 [2] - https://sources.debian.org/src/libxlsxwriter/1.1.5-1/debian/control/#L11
