openSUSE has issued an advisory for this on May 8:
https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated zziplib packages fix security vulnerabilities:

Heap-based buffer overflow in __zzip_get32 in fetch.c (CVE-2017-5974).

Heap-based buffer overflow in __zzip_get64 in fetch.c (CVE-2017-5975).

Heap-based buffer overflow in zzip_mem_entry_extra_block in memdisk.c
(CVE-2017-5976).

Invalid memory read in zzip_mem_entry_extra_block in memdisk.c (CVE-2017-5977).

Out of bounds read in zzip_mem_entry_new in memdisk.c (CVE-2017-5978).

NULL pointer dereference in prescan_entry in fseeko.c (CVE-2017-5979).

NULL pointer dereference in zzip_mem_entry_new in memdisk.c (CVE-2017-5980).

Assertion failure in seeko.c (CVE-2017-5981).

NULL pointer dereference in main in unzzipcat-mem.c (bsc#1024532).

NULL pointer dereference in main in unzzipcat.c (bsc#1024537).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5981
https://lists.opensuse.org/opensuse-updates/2017-05/msg00025.html
========================

Updated packages in core/updates_testing:
========================
libzziplib0-0.13.62-5.1.mga5
libzziplib-devel-0.13.62-5.1.mga5

from zziplib-0.13.62-5.1.mga5.src.rpm

Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

MGA5-32 on Asus A6000VM Xfce
No installation issues
urpmq --whatrequires-recursive libzziplib0
returns a long list, but none of these are familiar to me, so I have no idea how to test this thingie.

CC: (none) => herman.viaene

Just noticed that swftools is in that list, and bug 20486 requires testing it.
Tracing jpeg2swf shows that libzzip-0 is called, so OK to me.

Whiteboard: (none) => MGA5-32-OK

That's bug 20846. Confirmed the update is working on x86_64. Thanks for the suggestion to use gnash to view the swf file, as web browsers open/close the
single frame too quickly to verify it's ok.

Advisory committed, validating the update.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Update ID assignment failed

Checking for QA validation keyword⦠  â
Checking dependent bugs⦠             â (None found)
Checking SRPMs⦠                      â (5/core/zziplib-0.13.62-5.1) 


'validated_update' keyword reset.

Keywords: validated_update => (none)

A confusion over names.
BEFORE the update, I have: lib64zziplib0-0.13.62-5.mga5
Updates Testing has: lib64zziplib0-0.13.62-5.1.mga5 , presumably what was tested (comments 2 & 3).
Both Comment 2 and the advisory have: zziplib-0.13.62-5.1.mga5[.src.rpm]
Missing '0' at the end of the pkg name.
Advisory corrected accordingly; re-validating.

CC: (none) => lewyssmith
Keywords: (none) => validated_update

The package names in Comment 2 were correct.  The advisory in SVN should only have the SRPM name, which doesn't have a 0.

From Comment 6 it looks like it was actually missing the .mga5

I fixed the advisory in SVN.

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0163.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

(In reply to David Walser from comment #8)
> The package names in Comment 2 were correct.  The advisory in SVN should
> only have the SRPM name, which doesn't have a 0.
(In reply to David Walser from comment #9)
> From Comment 6 it looks like it was actually missing the .mga5
Egg on my face! Sorry for the wrong move.

(In reply to David Walser from comment #10)
> I fixed the advisory in SVN.
Thanks.