Bug 33527 - zziplib new security issue CVE-2024-39134
Summary: zziplib new security issue CVE-2024-39134
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-09-06 09:25 CEST by Nicolas Salguero
Modified: 2024-09-10 18:41 CEST (History)
2 users (show)

See Also:
Source RPM: zziplib-0.13.72-2.1.mga9.src.rpm
CVE: CVE-2024-39134
Status comment:


Attachments

Description Nicolas Salguero 2024-09-06 09:25:08 CEST
openSUSE has issued an advisory on August 15:
https://lists.suse.com/pipermail/sle-security-updates/2024-August/019205.html
Nicolas Salguero 2024-09-06 09:25:38 CEST

Status comment: (none) => Patch available from openSUSE
Source RPM: (none) => zziplib-0.13.74-2.mga10.src.rpm
CVE: (none) => CVE-2024-39134
Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-09-06 09:25:51 CEST

Source RPM: zziplib-0.13.74-2.mga10.src.rpm => zziplib-0.13.74-2.mga10.src.rpm, zziplib-0.13.72-2.1.mga9.src.rpm

Comment 2 Nicolas Salguero 2024-09-09 11:58:16 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows attackers to cause a denial of service via the __zzip_fetch_disk_trailer() function at /zzip/zip.c. (CVE-2024-39134)

References:
https://lists.suse.com/pipermail/sle-security-updates/2024-August/019205.html
========================

Updated packages in core/updates_testing:
========================
lib(64)zziplib13-0.13.72-2.2.mga9
lib(64)zziplib-devel-0.13.72-2.2.mga9
zziplib-utils-0.13.72-2.2.mga9

from SRPM:
zziplib-0.13.72-2.2.mga9.src.rpm

Version: Cauldron => 9
Status comment: Patch available from openSUSE => (none)
Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: zziplib-0.13.74-2.mga10.src.rpm, zziplib-0.13.72-2.1.mga9.src.rpm => zziplib-0.13.72-2.1.mga9.src.rpm
Status: NEW => ASSIGNED

katnatek 2024-09-09 18:59:49 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-09-09 19:58:00 CEST
RH x86_64

LC_ALL=C urpmi --auto --auto-update
adding 66 new rpms not available in existing hdlist
replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp
updating /var/cache/urpmi/partial/MD5SUM
updated medium "QA Testing (32-bit)"
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing lib64zziplib13-0.13.72-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: lib64zziplib13        ##################################################################################################
      1/1: removing lib64zziplib13-0.13.72-2.1.mga9.x86_64
                                 ##################################################################################################

LC_ALL=C urpmi zziplib-utils

installing zziplib-utils-0.13.72-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/1: zziplib-utils         ##################################################################################################


unzip some .zip files with unzzip all the content in zip filea is restored as expected

Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2024-09-10 03:10:45 CEST
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2024-09-10 18:41:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0289.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.