No registered maintainer, so assigning to all.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

According to https://github.com/zlib-ng/minizip-ng/issues/735, CVE-2023-45853 does not affects Cauldron.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. (CVE-2023-45853)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45853
https://www.openwall.com/lists/oss-security/2023/10/20/9
========================

Updated packages in 9/core/updates_testing:
========================
lib(64)minizip1-1.2.13-1.1.mga9
lib(64)minizip-devel-1.2.13-1.1.mga9
lib(64)zlib1-1.2.13-1.1.mga9
lib(64)zlib-devel-1.2.13-1.1.mga9
lib(64)zlib-static-devel-1.2.13-1.1.mga9

from SRPM:
zlib-1.2.13-1.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
lib(64)minizip1-1.2.12-1.4.mga8
lib(64)minizip-devel-1.2.12-1.4.mga8
lib(64)zlib1-1.2.12-1.4.mga8
lib(64)zlib-devel-1.2.12-1.4.mga8
lib(64)zlib-static-devel-1.2.12-1.4.mga8

from SRPM:
zlib-1.2.12-1.4.mga8.src.rpm

Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED

Advisory from comment 3 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Installed and tested without issues.

Tested using several application that link to the libraries in the packages.
Tested using the ark application by compressing and decompressing files.

Found application linking the libraries with:
for U in /usr/bin/* ; do [ "$(ldd $U | grep -P '(libminizip\.|libz\.)')" != "" ] && echo $U ; done 2> /dev/null | sort -u


System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics.


$ uname -a
Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep -P '(minizip|zlib).*1\.2\.12' | sort
lib64minizip1-1.2.12-1.4.mga8
lib64zlib1-1.2.12-1.4.mga8
lib64zlib-devel-1.2.12-1.4.mga8
libzlib1-1.2.12-1.4.mga8

MGA8-64 Plasma on an HP Pavilion 15. No installation issues.

Since the update fixes a security vulnerability in minizip, that is what I tested this time. Tested using Clipgrab:

$ strace -o minizip.txt clipgrab
$ grep libminizip.so minizip.txt
openat(AT_FDCWD, "/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3

Clipgrab downloaded a Youtube video and converted it to .mp4 at a different resolution.

Giving this a MGA8 OK.

CC: (none) => andrewsfarm
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

MGA9-64 Plasma on a desktop system, i5-2500, Intel graphics. No installation issues.

Looking at the lists produced by urpmq --whatrequires-recursive on these libraries, it's easy to think that a shorter list would be produced if the query was what DIDN'T use them.

Once again I used Clipgrab to download a Youtube video, a different one this time:

$ strace -o minizip.txt clipgrab
$ grep libminizip.so minizip.txt
openat(AT_FDCWD, "/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3
$ grep libz.so minizip.txt
openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3

Clipgrab again downloaded the video and converted it, with no issues.

Giving this a MGA9 OK, and validating.

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0312.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED