CVEs have been assigned for several security issues in zziplib: http://openwall.com/lists/oss-security/2017/02/14/3 CVE requests were originally filed on February 9: http://openwall.com/lists/oss-security/2017/02/09/ I don't believe any fixes are available yet. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
openSUSE has issued an advisory for this on May 8: https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated zziplib packages fix security vulnerabilities: Heap-based buffer overflow in __zzip_get32 in fetch.c (CVE-2017-5974). Heap-based buffer overflow in __zzip_get64 in fetch.c (CVE-2017-5975). Heap-based buffer overflow in zzip_mem_entry_extra_block in memdisk.c (CVE-2017-5976). Invalid memory read in zzip_mem_entry_extra_block in memdisk.c (CVE-2017-5977). Out of bounds read in zzip_mem_entry_new in memdisk.c (CVE-2017-5978). NULL pointer dereference in prescan_entry in fseeko.c (CVE-2017-5979). NULL pointer dereference in zzip_mem_entry_new in memdisk.c (CVE-2017-5980). Assertion failure in seeko.c (CVE-2017-5981). NULL pointer dereference in main in unzzipcat-mem.c (bsc#1024532). NULL pointer dereference in main in unzzipcat.c (bsc#1024537). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5980 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981 https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html ======================== Updated packages in core/updates_testing: ======================== libzziplib0-0.13.62-5.1.mga5 libzziplib-devel-0.13.62-5.1.mga5 from zziplib-0.13.62-5.1.mga5.src.rpm
Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)Version: Cauldron => 5
MGA5-32 on Asus A6000VM Xfce No installation issues urpmq --whatrequires-recursive libzziplib0 returns a long list, but none of these are familiar to me, so I have no idea how to test this thingie.
CC: (none) => herman.viaene
Just noticed that swftools is in that list, and bug 20486 requires testing it. Tracing jpeg2swf shows that libzzip-0 is called, so OK to me.
Whiteboard: (none) => MGA5-32-OK
That's bug 20846. Confirmed the update is working on x86_64. Thanks for the suggestion to use gnash to view the swf file, as web browsers open/close the single frame too quickly to verify it's ok. Advisory committed, validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisory MGA5-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
Update ID assignment failed Checking for QA validation keyword⦠â Checking dependent bugs⦠â (None found) Checking SRPMs⦠â (5/core/zziplib-0.13.62-5.1) 'validated_update' keyword reset.
Keywords: validated_update => (none)
A confusion over names. BEFORE the update, I have: lib64zziplib0-0.13.62-5.mga5 Updates Testing has: lib64zziplib0-0.13.62-5.1.mga5 , presumably what was tested (comments 2 & 3). Both Comment 2 and the advisory have: zziplib-0.13.62-5.1.mga5[.src.rpm] Missing '0' at the end of the pkg name. Advisory corrected accordingly; re-validating.
CC: (none) => lewyssmithKeywords: (none) => validated_update
The package names in Comment 2 were correct. The advisory in SVN should only have the SRPM name, which doesn't have a 0.
From Comment 6 it looks like it was actually missing the .mga5
I fixed the advisory in SVN.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0163.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
(In reply to David Walser from comment #8) > The package names in Comment 2 were correct. The advisory in SVN should > only have the SRPM name, which doesn't have a 0. (In reply to David Walser from comment #9) > From Comment 6 it looks like it was actually missing the .mga5 Egg on my face! Sorry for the wrong move. (In reply to David Walser from comment #10) > I fixed the advisory in SVN. Thanks.