On Wed 22 Nov 2023 at 15:27:06 (-0500), Greg Wooledge wrote: > On Wed, Nov 22, 2023 at 01:34:49PM -0600, David Wright wrote: > > AFAICT zipOpenNewFileInZip4_64 is only contained in > > /usr/lib/x86_64-linux-gnu/libminizip.so.1.0.0 which is from package > > libminizip1_1~b1_amd64.deb. > > > > In Debian, it would appear that minizip was split off from zlib1g > > a decade ago. > > > > zlib (1:1.2.8.dfsg-2) unstable; urgency=low > > > > * Drop zlib-bin package as minizip has now been packaged separately, > > delay due to lack of notice regarding upload (closes: #753070). > > > > -- Mark Brown <broo...@debian.org> Sat, 16 Aug 2014 15:12:11 +0100 > > unicorn:~$ apt-cache show zlib1g > [...] > Source: zlib > [...] > Homepage: http://zlib.net/ > > unicorn:~$ apt-cache show libminizip1 > [...] > Source: minizip (1.1-8) > [...] > Homepage: http://www.winimage.com/zLibDll/minizip.html > > > Looks like Debian's minizip (including libminizip1) was sourced from a > separate location, rather than being split apart from zlib.
I think that link gives a misleading impression. Before minizip, the functionality was in zlib-bin, and the library was (using as an example zlib-bin-1.2.3.4-minizip, from 2009): $ strings /tmp/zlib-bin-1.2.3.4-minizip | grep -i zlib MiniZip 1.01b, demo of zLib + Zip package written by Gilles Vollant more info at http://www.winimage.com/zLibDll/unzip.html zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll $ I think it's all the same old code; this is the latest canonical source of zlib (1495873 Aug 18 05:08 zlib.tar.gz, which I unpacked in /tmp) with the same link: $ head -n 5 /tmp/zlib-1.3/contrib/minizip/zip.c /* zip.c -- IO on .zip files using zlib Version 1.1, February 14h, 2010 part of the MiniZip project - ( http://www.winimage.com/zLibDll/minizip.html ) Copyright (C) 1998-2010 Gilles Vollant (minizip) ( http://www.winimage.com/zLibDll/minizip.html ) $ > On the other hand, I cannot find zipOpen in > /lib/x86_64-linux-gnu/libz.so.1.2.13 either (I used nm -D ... | less), > so perhaps the minizip portion of zlib is not included during the build. > If that's true, then the package should be marked as "not vulnerable". … and libminizip1 should be the one marked: $ grep -r zipOpenNewFileInZip4_64 /tmp/zlib-1.3/ /tmp/zlib-1.3/contrib/minizip/zip.c:extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, const zip_fileinfo* zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.c: return zipOpenNewFileInZip4_64(file, filename, zipfi, /tmp/zlib-1.3/contrib/minizip/zip.h:extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, /tmp/zlib-1.3/contrib/vstudio/vc10/zlibvc.def: zipOpenNewFileInZip4_64 @135 /tmp/zlib-1.3/contrib/vstudio/vc14/zlibvc.def: zipOpenNewFileInZip4_64 @135 /tmp/zlib-1.3/contrib/vstudio/vc11/zlibvc.def: zipOpenNewFileInZip4_64 @135 /tmp/zlib-1.3/contrib/vstudio/vc9/zlibvc.def: zipOpenNewFileInZip4_64 @135 /tmp/zlib-1.3/contrib/vstudio/vc12/zlibvc.def: zipOpenNewFileInZip4_64 @135 $ Cheers, David.
