Bug 29495 - sharpziplib new security issue fixed upstream in 1.3.3
Summary: sharpziplib new security issue fixed upstream in 1.3.3
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-26 20:06 CEST by David Walser
Modified: 2021-10-02 21:10 CEST (History)
7 users (show)

See Also:
Source RPM: sharpziplib-1.3.0-0.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-09-26 20:06:25 CEST
Fedora has issued an advisory on September 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M7S6USDLPKJVHTQRZQU2AA5N2MUW3XWZ/

The issue is fixed upstream in 1.3.3.

Mageia 8 is also affected.
David Walser 2021-09-26 20:06:39 CEST

Whiteboard: (none) => MGA8TOO

Comment 2 Nicolas Lécureuil 2021-09-27 17:24:50 CEST
updated in cauldron.

Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 3 Nicolas Lécureuil 2021-09-27 17:26:08 CEST
pushed in mga8:

src:
    - sharpziplib-1.3.3-1.mga8

Assignee: joequant => qa-bugs

Comment 4 David Walser 2021-09-27 18:37:14 CEST
sharpziplib-1.3.3-1.mga8
sharpziplib-devel-1.3.3-1.mga8

sharpziplib-1.3.3-1.mga8.src.rpm
Comment 5 Len Lawrence 2021-09-28 20:37:12 CEST
mga8, x64

The "sharp" alludes to its C# coding and much of the online documentation concerns programming, and urpmq indicates that no Mageia packages depend on it.
Upstream simply states that the new release contains a security fix.
Mono tools are mentioned in various places.
$ urpmq --requires sharpziplib
mono(System)[== 4.0.0.0]
mono(System.Core)[== 4.0.0.0]
mono(mscorlib)[== 4.0.0.0]
mono-core
$ urpmq -i sharpziplib
Name        : sharpziplib
Version     : 1.3.0
Release     : 0.mga8
Group       : Development/C#
Size        : 217752                       Architecture: x86_64
Source RPM  : sharpziplib-1.3.0-0.mga8.src.rpm
URL         : http://icsharpcode.github.io/SharpZipLib
Summary     : Zip, GZip, Tar and BZip2 library
Description :
SharpZipLib, formerly NZipLib is a Zip, GZip, Tar and BZip2 library
written entirely in C# . It is implemented as an assembly (installable
in the GAC), and thus can easily be incorporated into other projects.
 
/usr/share/doc/sharpziplib contains the README.md file which provides information of interest to developers.

The two packages updated without issues.
Since this is a library with no accompanying tools there is little we can do here except pass this as ready for use, with fingers crossed.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 David Walser 2021-09-28 21:13:08 CEST
It calls into question why we even have this package.

CC: (none) => joequant

Comment 7 Thomas Andrews 2021-10-02 05:50:06 CEST
A question to be answered another day. 

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Dave Hodgins 2021-10-02 19:49:25 CEST
Un-validating.

What about the rrebuild of mono-tools mentioned in comment 1

CC: (none) => davidwhodgins
Keywords: validated_update => (none)

Comment 9 Dave Hodgins 2021-10-02 21:10:53 CEST
Adding Matteo to cc list, as the registered maintainer for mono-tools.
Please see comment 1

CC: (none) => matteo.pasotti


Note You need to log in before you can comment on or make changes to this bug.