Assigning this to everybody in the absence of an evident maintainer.

Assignee: bugsquad => pkg-bugs

Removing Mageia 7 from whiteboard due to EOL:
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Whiteboard: MGA8TOO, MGA7TOO => MGA8TOO

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a denial of service via the return value "zzip_file_read" in the function "unzzip_cat_file". (CVE-2020-18442)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18442
https://lists.suse.com/pipermail/sle-security-updates/2021-June/009090.html
========================

Updated packages in core/updates_testing:
========================
lib(64)zziplib13-0.13.72-1.mga8
lib(64)zziplib-devel-0.13.72-1.mga8
zziplib-utils-0.13.72-1.mga8

from SRPM:
zziplib-0.13.72-1.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA8TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 8
CVE: (none) => CVE-2020-18442

Shall have a look at this for x86_64 later.  There is a PoC for the CVE.

CC: (none) => tarazed25

mga8, x86_64

CVE-2020-18442
https://github.com/gdraheim/zziplib/issues/68

$ unzzip POC.zip
Hangs - does not respond to Ctrl-C.
$ ps aux | grep zzip
lcl      1149091  3.2  0.0      0     0 pts/6    D+   18:50   0:02 [unzzip]

Could not kill it or killall it.  Closed the terminal.
Tried zip.
$ unzip POC.zip
Archive:  POC.zip
error [POC.zip]:  missing 16 bytes in zipfile
  (attempting to process anyway)
error: invalid zip file with overlapped components (possible zip bomb)

Updated using qarepo.
CVE-2020-18442
$ unzzip POC.zip
$ 
Good result.

$ locate zzip | grep bin
/usr/bin/unzzip
/usr/bin/unzzip-big
/usr/bin/unzzip-mem
/usr/bin/unzzip-mix
There does not seem to be a zzip eqivalent to unzzip, so how to create zziped files?
Meanwhile shall try unzzip on normal zipped files.
$ unzzip /usr/lib64/libreoffice/share/config/images_sifr_svg.zip
That had a remarkable effect, creating all this:
drwxr-xr-x 1 lcl lcl      6 Jul 15 19:19  avmedia/
drwxr-xr-x 1 lcl lcl      6 Jul 15 19:19  chart2/
drwxr-xr-x 1 lcl lcl  93954 Jul 15 19:20  cmd/
[...]
drwxr-xr-x 1 lcl lcl      6 Jul 15 19:20  wizards/
drwxr-xr-x 1 lcl lcl      6 Jul 15 19:20  xmlsecurity/

$ unzzip /usr/share/calibre/builtin_recipes.zip
unzipped a very large archive of PNG and recipe files.

If this is the correct way to test unzzip then zziplib can probably be sent on but the other utilities need to be pinged first.  Later.

And these:
$ urpmq --whatrequires lib64zziplib13
lib64ogre1.9.1
mpd
swftools
texlive

Tried mpd to start with.
It has to be started as a service but there are no default configuration files.  The user has to start from scratch.  The user manual is on line,
https://mpd.readthedocs.io/en/stable/user.html, and the user has to be aware already of the meanings of the terms and know the designations of sound cards and other things.

First console permissions for root of 0660 needed to be set which meant creating a one line configuration file in /etc/console.perms.d :
<console>  0660 <sound>      0660 root.audio
Also, a user config file is needed.
$ cat .config/mpd/mpd.conf
connection_timeout "12"
music_directory "~/Music"

# systemctl enable mpd
# systemctl enable mpd
# systemctl status mpd
● mpd.service - Music Player Daemon
     Loaded: loaded (/usr/lib/systemd/system/mpd.service; enabled; vendor preset: disabled)
     Active: failed (Result: exit-code) since Sat 2021-07-17 17:01:58 BST; 27min ago
TriggeredBy: ● mpd.socket
       Docs: man:mpd(1)
             man:mpd.conf(5)
    Process: 2015278 ExecStart=/usr/bin/mpd --no-daemon (code=exited, status=1/FAILURE)
   Main PID: 2015278 (code=exited, status=1/FAILURE)
        CPU: 70ms

Jul 17 17:01:58 canopus systemd[1]: Starting Music Player Daemon...
Jul 17 17:01:58 canopus mpd[2015278]: Jul 17 17:01 : exception: Decoder plugin 'wildmidi' is unavailable: c>
Jul 17 17:01:58 canopus mpd[2015278]: Jul 17 17:01 : exception: Database corrupted
Jul 17 17:01:58 canopus mpd[2015278]: Jul 17 17:01 : exception: Unrecognized mixer type
.............

So this is a non-starter.  Abandoning it there.

swftools is a collection of programs for handling Adobe Shockwave Flash files.
See http://www.swftools.org/
$ swfdump surfacefly_spirit.swf > swf.dump
$ head swf.dump
[HEADER]        File version: 6
[HEADER]        File is zlib compressed. Ratio: 98%
[HEADER]        File size: 20003889
[HEADER]        Frame rate: 25.000000
[HEADER]        Frame count: 65535
[HEADER]        Movie width: 640.00
[HEADER]        Movie height: 360.00
[009]         3 SETBACKGROUNDCOLOR (00/00/00)
[03c]        10 DEFINEVIDEOSTREAM defines id 0099 (65535 frames, 640x368 sorenson h.263)
[03d]     12444 VIDEOFRAME adds information to id 0099 (frame 0) 640x368 I-frame quant: 7 

$ strace -o swf.trace swfdump surfacefly_spirit.swf
$ grep zz swf.trace
openat(AT_FDCWD, "/lib64/libzzip.so.13", O_RDONLY|O_CLOEXEC) = 3

That will have to do.  Giving this an OK for 64-bits.

Whiteboard: (none) => MGA8-64-OK

Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0359.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED