Hi, CVE-2023-45853 was announced here: https://www.openwall.com/lists/oss-security/2023/10/20/9 The above link contains a fix for that CVE. Regarding Cauldron, which switched from zlib to zlib-ng, I have the impression that the problem also exists and should be fixed, at least, in mz_compat.c, before line 481, in zipOpenNewFileInZip5(). Best regards, Nico.
CC: (none) => nicolas.salgueroWhiteboard: (none) => MGA9TOO, MGA8TOOSource RPM: (none) => zlib-1.2.13-1.mga9.src.rpm
No registered maintainer, so assigning to all.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
According to https://github.com/zlib-ng/minizip-ng/issues/735, CVE-2023-45853 does not affects Cauldron.
Version: Cauldron => 9Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. (CVE-2023-45853) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45853 https://www.openwall.com/lists/oss-security/2023/10/20/9 ======================== Updated packages in 9/core/updates_testing: ======================== lib(64)minizip1-1.2.13-1.1.mga9 lib(64)minizip-devel-1.2.13-1.1.mga9 lib(64)zlib1-1.2.13-1.1.mga9 lib(64)zlib-devel-1.2.13-1.1.mga9 lib(64)zlib-static-devel-1.2.13-1.1.mga9 from SRPM: zlib-1.2.13-1.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== lib(64)minizip1-1.2.12-1.4.mga8 lib(64)minizip-devel-1.2.12-1.4.mga8 lib(64)zlib1-1.2.12-1.4.mga8 lib(64)zlib-devel-1.2.12-1.4.mga8 lib(64)zlib-static-devel-1.2.12-1.4.mga8 from SRPM: zlib-1.2.12-1.4.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNED
Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
Keywords: (none) => advisory
CC: (none) => mageia
Installed and tested without issues. Tested using several application that link to the libraries in the packages. Tested using the ark application by compressing and decompressing files. Found application linking the libraries with: for U in /usr/bin/* ; do [ "$(ldd $U | grep -P '(libminizip\.|libz\.)')" != "" ] && echo $U ; done 2> /dev/null | sort -u System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -P '(minizip|zlib).*1\.2\.12' | sort lib64minizip1-1.2.12-1.4.mga8 lib64zlib1-1.2.12-1.4.mga8 lib64zlib-devel-1.2.12-1.4.mga8 libzlib1-1.2.12-1.4.mga8
MGA8-64 Plasma on an HP Pavilion 15. No installation issues. Since the update fixes a security vulnerability in minizip, that is what I tested this time. Tested using Clipgrab: $ strace -o minizip.txt clipgrab $ grep libminizip.so minizip.txt openat(AT_FDCWD, "/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3 Clipgrab downloaded a Youtube video and converted it to .mp4 at a different resolution. Giving this a MGA8 OK.
CC: (none) => andrewsfarmWhiteboard: MGA8TOO => MGA8TOO MGA8-64-OK
MGA9-64 Plasma on a desktop system, i5-2500, Intel graphics. No installation issues. Looking at the lists produced by urpmq --whatrequires-recursive on these libraries, it's easy to think that a shorter list would be produced if the query was what DIDN'T use them. Once again I used Clipgrab to download a Youtube video, a different one this time: $ strace -o minizip.txt clipgrab $ grep libminizip.so minizip.txt openat(AT_FDCWD, "/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3 $ grep libz.so minizip.txt openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 Clipgrab again downloaded the video and converted it, with no issues. Giving this a MGA9 OK, and validating.
Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0312.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED