That CVE was announced here: https://www.openwall.com/lists/oss-security/2024/01/24/10 The fix is here: https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01
Source RPM: (none) => zlib-1.2.13-1.1.mga9.src.rpmCVE: (none) => CVE-2014-9485
Suggested advisory: ======================== The updated packages fix a security vulnerability: Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive. (CVE-2014-9485) References: https://www.openwall.com/lists/oss-security/2024/01/24/10 ======================== Updated packages in core/updates_testing: ======================== lib(64)minizip1-1.2.13-1.2.mga9 lib(64)minizip-devel-1.2.13-1.2.mga9 lib(64)zlib1-1.2.13-1.2.mga9 lib(64)zlib-devel-1.2.13-1.2.mga9 lib(64)zlib-static-devel-1.2.13-1.2.mga9 from SRPM: zlib-1.2.13-1.2.mga9.src.rpm
Assignee: bugsquad => qa-bugsStatus: NEW => ASSIGNED
CC: (none) => mageia
Mageia9, x86_64 Could not find a reproducer in the redhat links. Ran strace on xqf, chromium-browser and gthumb and found /lib64/libz.so.1 was successfully opened in all three. Got as far as the opening interface in xqf but gthumb and Chrome could be used without any regressions. Giving this the green light.
CC: (none) => tarazed25Whiteboard: (none) => MGA9-64-OK
Validating. Advisory in comment 1. Len, perhaps a good place to practice your new advisory-uploading skills. ;-)
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
Keywords: advisory => (none)
Keywords: (none) => advisoryCC: (none) => marja11
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0019.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED