On Wed, Nov 22, 2023 at 01:34:49PM -0600, David Wright wrote: > AFAICT zipOpenNewFileInZip4_64 is only contained in > /usr/lib/x86_64-linux-gnu/libminizip.so.1.0.0 which is from package > libminizip1_1~b1_amd64.deb. > > In Debian, it would appear that minizip was split off from zlib1g > a decade ago. > > zlib (1:1.2.8.dfsg-2) unstable; urgency=low > > * Drop zlib-bin package as minizip has now been packaged separately, > delay due to lack of notice regarding upload (closes: #753070). > > -- Mark Brown <broo...@debian.org> Sat, 16 Aug 2014 15:12:11 +0100
unicorn:~$ apt-cache show zlib1g [...] Source: zlib [...] Homepage: http://zlib.net/ unicorn:~$ apt-cache show libminizip1 [...] Source: minizip (1.1-8) [...] Homepage: http://www.winimage.com/zLibDll/minizip.html Looks like Debian's minizip (including libminizip1) was sourced from a separate location, rather than being split apart from zlib. On the other hand, I cannot find zipOpen in /lib/x86_64-linux-gnu/libz.so.1.2.13 either (I used nm -D ... | less), so perhaps the minizip portion of zlib is not included during the build. If that's true, then the package should be marked as "not vulnerable".
