I cannot find any reference to other softawre using this library:
 # urpmq --whatrequires libzlib1
 libzlib-devel
 libzlib1

There is a man page for 'zlib' (but no command). However,
 # urpmq --whatrequires zlib
 No package called zlib

Can we test this update? Is it used by Firefox?

CC: (none) => lewyssmith

@lewis
Strange.  I tried that command:
$ urpmq --whatrequires lib64zlib1
and it returned 873 package names.  It looked like practically everything used it, from stellarium to firefox, ruby and vlc.
I tried running some commands under strace and examined the output for signs of zlib and could see nothing.  Maybe the library is used only under certain circumstances.

CC: (none) => tarazed25

Try installing the minizip stuff.
$ urpmq --whatrequires lib64minizip1 | sort | uniq
chromium-browser-stable
fceux
lib64assimp3
lib64cegui0_2
lib64minizip1
lib64minizip-devel
sigil
spring
springlobby
vcmi

$ urpmq --requires-recursive vcmi
turns up lib64zlib1, amongst other things.

Don't know if there are any executable commands amongst that lot.

sigil is for editing epub files and others are to do with game consoles and engines, apart from Chromium.  For vcmi you need to install Heroes III. !!!

Looking back to comment 2...
gthumb is an image viewer which displays thumbnails of the images below the main frame.  It seems likely that zlib would come into play there but I could not see anything in an strace.

However:
$ cat trace | grep libz
open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libz.so.1.2.8", O_RDONLY) = 3
open("/usr/lib64/libz.so.1.2.8", O_RDONLY) = 9

MGA5-32 on Acer D620 Xfce
No installation issues
Looked at list generated by "urpmq --whatrequires libzlib1" and decided to go for
strace -o /home/tester5/Documenten/fsarch.txt qt4-fsarchiver" and backed up a partition (about 3Gb)
Backup ran successfully and  fsarch.txt (14.7Mb) shows three calls to libz.so.1

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

MGA5 x86_64 on hardware (Acer Veriton M4618G)

Used Herman's basic procedure but with nmap.

Update's from testing installed fine.
[mrambo@rambobox ~]$ rpm -qa | grep zlib
lib64zlib-devel-1.2.8-7.1.mga5
lib64zlib1-1.2.8-7.1.mga5

[root@rambobox mrambo]# strace -o zlib_test.txt nmapfe

[mrambo@rambobox ~]$ grep libz zlib_test.txt
open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 6
open("/usr/lib64/libz.so.1.2.8", O_RDONLY) = 6

Several successful calls to libz.so.1. Looks good on x86_64.

CC: (none) => mrambo
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK

(In reply to David Walser from comment #0)
> Advisory to come later.
If you can, David, please do (I will create/upload it). TIA

Thanks to Herman & Mike for your tests. Update validated, advisory pending.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

From reading the original document again, it doesn't sound like any of these bugs present as security issues currently, but hypothetically could in the future.  Changing this to a bug fix update.

Advisory:
----------------------------------------

The zlib package has been patched to fix four issues where the code relies on
undefined behavior in the C standard, which could have negative interactions
with certain compiler optimizations or future compiler behavior.

References:
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

Component: Security => RPM Packages
QA Contact: security => (none)

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGAA-2016-0128.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

CVE request:
http://openwall.com/lists/oss-security/2016/12/05/10

CVE-2016-984[0-3] assigned for the last two issues in the audit report:
http://www.openwall.com/lists/oss-security/2016/12/05/21

Summary: zlib new security issues found by mozilla security audit => zlib new security issues found by mozilla security audit (CVE-2016-984[0-3])