Debian-LTS has issued an advisory on January 29: https://www.debian.org/lts/security/2023/dla-3290 The issue is fixed upstream in 0.4.39.
Status comment: (none) => Fixed upstream in 0.4.39
Suggested advisory: ======================== The updated packages fix a security vulnerability: A vulnerability classified as problematic has been found in MediaArea ZenLib up to 0.4.38. This affects the function Ztring::Date_From_Seconds_1970_Local of the file Source/ZenLib/Ztring.cpp. The manipulation of the argument Value leads to unchecked return value to null pointer dereference. (CVE-2020-36646) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36646 https://www.debian.org/lts/security/2023/dla-3290 ======================== Updated packages in core/updates_testing: ======================== lib(64)zen0-0.4.38-1.1.mga8 lib(64)zen-devel-0.4.38-1.1.mga8 from SRPM: libzen-0.4.38-1.1.mga8.src.rpm
CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-36646Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 0.4.39 => (none)
Tested in a mga8-64 Plasma guest in VirtualBox. I installed mediainfo-gui-qt, which drew in lib64zen0 as a dependency. Ran mediainfo, and checked the information of several different media files. Updated lib64zen0, and repeated the test, receiving the same results. Looks OK here. Validating. Advisory in comment 1.
Whiteboard: (none) => MGA8-64-OKCC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0046.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED