Followup-For: Bug #1054290
Sorry, I made an important mistake in my phrasing about these two packages:
> * mupen64plus-core - this appears unaffected in Debian; it declares a
>build-time dependency on libminizip-dev, and the build system uses this
>when available. I've verified that by
Followup-For: Bug #1054290
Updates on some other codebases where minizip appears vendored in Debian source
packages:
* gdal - the fix for minizip is included in upstream version 3.8.0 and a
packaged version of that release has been accepted into Debian unstable.
* mupen64plus-core - this
Source: zlib
Followup-For: Bug #1054290
I now think that patching vendored minizip code in libxlsxwriter would not help
because it specifies the 'USE_SYSTEM_MINIZIP' define at build-time[1] in
combination with a build-time dependency[2] on 'libminizip-dev' to link to the
required library functions
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: david.dooling+deb...@docker.com, car...@debian.org, Debian
Security Team
On Fri, 03 Nov 2023 14:26:54 +, I wrote:
> A few packages referenced 'quazip' - a fork of minizip. Of those, only
> 1 (one) appears to support 64-bit zip files, and
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: david.dooling+deb...@docker.com, car...@debian.org, Debian
Security Team
On Tue, 31 Oct 2023 13:13:00 -0500, David wrote:
> Thanks for that analysis, James.
...
> nodejs-18.13.0+dfsg1:
> The Node.js source code includes a copy of the zlib sou
Thanks for that analysis, James.
Using James' analysis as a starting point, I dug into some of the
usages of the 'zipOpenNewFile*' functions.
nodejs-18.13.0+dfsg1:
The Node.js source code includes a copy of the zlib source code. This
copy was patched over a month ago.
mariadb-10.11.4:
The MariaD
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: car...@debian.org, Debian Security Team
After reading the minizip/zip.c code[1], I think that the vulnerable function
is exposed for external linkage by any of the 'zipOpenNewFile*' functions.
Given that, I code-searched[2] for 'zipOpenFile'
Source: zlib
Followup-For: Bug #1054290
Control: tags -1 patch
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: car...@debian.org, Debian Security Team
I wrote:
> Although this bug exists in src:zlib, the only binary package affected is, I
> believe, the 'minizip'[1] package.
This turns out to be a half-truth: the affected minizip code is vendored into
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: car...@debian.org
Although this bug exists in src:zlib, the only binary package affected is, I
believe, the 'minizip'[1] package.
A fix[2] for CVE-2023-45853 has been applied upstream, and is pending[3] an
upstream release.
Please find attach
Source: zlib
Version: 1:1.2.13.dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for zlib.
CVE-2023-45853[0]:
| MiniZip in zlib through 1.3 has an integer overflow and resultant
| heap-based buf
11 matches
Mail list logo
