CVEs have been assigned for several security issues in zziplib:
CVE requests were originally filed on February 9:
I don't believe any fixes are available yet.
Mageia 5 is also affected.
openSUSE has issued an advisory for this on May 8:
Patched packages uploaded for Mageia 5 and Cauldron.
Updated zziplib packages fix security vulnerabilities:
Heap-based buffer overflow in __zzip_get32 in fetch.c (CVE-2017-5974).
Heap-based buffer overflow in __zzip_get64 in fetch.c (CVE-2017-5975).
Heap-based buffer overflow in zzip_mem_entry_extra_block in memdisk.c
Invalid memory read in zzip_mem_entry_extra_block in memdisk.c (CVE-2017-5977).
Out of bounds read in zzip_mem_entry_new in memdisk.c (CVE-2017-5978).
NULL pointer dereference in prescan_entry in fseeko.c (CVE-2017-5979).
NULL pointer dereference in zzip_mem_entry_new in memdisk.c (CVE-2017-5980).
Assertion failure in seeko.c (CVE-2017-5981).
NULL pointer dereference in main in unzzipcat-mem.c (bsc#1024532).
NULL pointer dereference in main in unzzipcat.c (bsc#1024537).
Updated packages in core/updates_testing:
MGA5-32 on Asus A6000VM Xfce
No installation issues
urpmq --whatrequires-recursive libzziplib0
returns a long list, but none of these are familiar to me, so I have no idea how to test this thingie.
Just noticed that swftools is in that list, and bug 20486 requires testing it.
Tracing jpeg2swf shows that libzzip-0 is called, so OK to me.
That's bug 20846. Confirmed the update is working on x86_64. Thanks for the suggestion to use gnash to view the swf file, as web browsers open/close the
single frame too quickly to verify it's ok.
Advisory committed, validating the update.
MGA5-32-OK advisory MGA5-64-OKCC:
Update ID assignment failed
Checking for QA validation keywordâ¦ â
Checking dependent bugsâ¦ â (None found)
Checking SRPMsâ¦ â (5/core/zziplib-0.13.62-5.1)
'validated_update' keyword reset.
A confusion over names.
BEFORE the update, I have: lib64zziplib0-0.13.62-5.mga5
Updates Testing has: lib64zziplib0-0.13.62-5.1.mga5 , presumably what was tested (comments 2 & 3).
Both Comment 2 and the advisory have: zziplib-0.13.62-5.1.mga5[.src.rpm]
Missing '0' at the end of the pkg name.
Advisory corrected accordingly; re-validating.
The package names in Comment 2 were correct. The advisory in SVN should only have the SRPM name, which doesn't have a 0.
From Comment 6 it looks like it was actually missing the .mga5
I fixed the advisory in SVN.
An update for this issue has been pushed to the Mageia Updates repository.
(In reply to David Walser from comment #8)
> The package names in Comment 2 were correct. The advisory in SVN should
> only have the SRPM name, which doesn't have a 0.
(In reply to David Walser from comment #9)
> From Comment 6 it looks like it was actually missing the .mga5
Egg on my face! Sorry for the wrong move.
(In reply to David Walser from comment #10)
> I fixed the advisory in SVN.