Bug 32785

Summary:	zlib new security issue CVE-2014-9485
Product:	Mageia	Reporter:	Nicolas Salguero <nicolas.salguero>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, mageia, marja11, sysadmin-bugs, tarazed25
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA9-64-OK
Source RPM:	zlib-1.2.13-1.1.mga9.src.rpm	CVE:	CVE-2014-9485
Status comment:

Description Nicolas Salguero 2024-01-26 14:49:05 CET

That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/01/24/10

The fix is here:
https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01

Nicolas Salguero 2024-01-26 14:49:16 CET

Source RPM: (none) => zlib-1.2.13-1.1.mga9.src.rpm
CVE: (none) => CVE-2014-9485

Comment 1 Nicolas Salguero 2024-01-26 15:02:17 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive. (CVE-2014-9485)

References:
https://www.openwall.com/lists/oss-security/2024/01/24/10
========================

Updated packages in core/updates_testing:
========================
lib(64)minizip1-1.2.13-1.2.mga9
lib(64)minizip-devel-1.2.13-1.2.mga9
lib(64)zlib1-1.2.13-1.2.mga9
lib(64)zlib-devel-1.2.13-1.2.mga9
lib(64)zlib-static-devel-1.2.13-1.2.mga9

from SRPM:
zlib-1.2.13-1.2.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

PC LX 2024-01-26 19:15:15 CET

CC: (none) => mageia

Comment 2 Len Lawrence 2024-01-26 21:04:25 CET

Mageia9, x86_64

Could not find a reproducer in the redhat links.
Ran strace on xqf, chromium-browser and gthumb and found /lib64/libz.so.1 was successfully opened in all three.  Got as far as the opening interface in xqf but gthumb and Chrome could be used without any regressions.

Giving this the green light.

CC: (none) => tarazed25
Whiteboard: (none) => MGA9-64-OK

Comment 3 Thomas Andrews 2024-01-26 21:48:44 CET

Validating. Advisory in comment 1.

Len, perhaps a good place to practice your new advisory-uploading skills. ;-)

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Len Lawrence 2024-01-28 15:19:46 CET

Keywords: (none) => advisory

Len Lawrence 2024-01-29 01:29:17 CET

Keywords: advisory => (none)

Marja Van Waes 2024-01-29 17:44:50 CET

Keywords: (none) => advisory
CC: (none) => marja11

Comment 4 Mageia Robot 2024-01-30 21:58:26 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0019.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED