Bug 24580

Summary: libzip new security issue(s) fixed upstream in 1.5.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, lists.jjorge, marja11, nicolas.salguero
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: libzip-1.1.3-1.mga6.src.rpm CVE:
Status comment: Fixed upstream in 1.5.2

Description David Walser 2019-03-28 21:06:13 CET 
Fedora has issued an advisory on March 21:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LF7ZNZRB7ZWDCS2NDR542KE56R7HWAON/

They don't link to any CVEs or RedHat bugs, but it says:
* Fix bug in AES encryption affecting certain file sizes
* Keep file permissions when modifying zip archives
* Support systems with small stack size.
* Add nullability annotations.

of which probably either the first or second might have been a security issue, so these may correspond to upstream commits that can be backported.
David Walser 2019-03-28 21:23:47 CET

Status comment: (none) => Fixed upstream in 1.5.2

Comment 1 Marja Van Waes 2019-03-29 07:59:25 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => geiger.david68210, marja11
Assignee: bugsquad => pkg-bugs

José Jorge 2019-03-29 14:36:40 CET

CC: (none) => lists.jjorge
Assignee: pkg-bugs => lists.jjorge

Comment 2 José Jorge 2019-03-29 14:41:03 CET 
Well, it is a very different code, with even a major changed. I think we should not try to cherry pick fixes, as Fedora also did no fix for version 28.

Assignee: lists.jjorge => pkg-bugs

Comment 3 Nicolas Salguero 2019-11-06 16:20:52 CET 
Mageia 6 EOL

Status: NEW => RESOLVED
CC: (none) => nicolas.salguero
Resolution: (none) => OLD