openSUSE has issued an advisory on August 15: https://lists.suse.com/pipermail/sle-security-updates/2024-August/019205.html
Status comment: (none) => Patch available from openSUSESource RPM: (none) => zziplib-0.13.74-2.mga10.src.rpmCVE: (none) => CVE-2024-39134Whiteboard: (none) => MGA9TOO
Source RPM: zziplib-0.13.74-2.mga10.src.rpm => zziplib-0.13.74-2.mga10.src.rpm, zziplib-0.13.72-2.1.mga9.src.rpm
The patches evolved, and I am unsure which is right. These URLs look useful: https://github.com/gdraheim/zziplib/pull/170 https://github.com/gdraheim/zziplib/commit/af15e89b3f835a20e5fd630bd075a46ca691b1b7 https://github.com/gdraheim/zziplib/compare/35c19a9e69be12b4220d466ae3102bf6af661ece..2a84ae73e93b0c1f4f12f2c58104f8327d10e41b https://github.com/gdraheim/zziplib/blob/9388abc1007479a465d059d213f512e2166e52e6/zzip/zip.c#L306
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows attackers to cause a denial of service via the __zzip_fetch_disk_trailer() function at /zzip/zip.c. (CVE-2024-39134) References: https://lists.suse.com/pipermail/sle-security-updates/2024-August/019205.html ======================== Updated packages in core/updates_testing: ======================== lib(64)zziplib13-0.13.72-2.2.mga9 lib(64)zziplib-devel-0.13.72-2.2.mga9 zziplib-utils-0.13.72-2.2.mga9 from SRPM: zziplib-0.13.72-2.2.mga9.src.rpm
Version: Cauldron => 9Status comment: Patch available from openSUSE => (none)Whiteboard: MGA9TOO => (none)Assignee: pkg-bugs => qa-bugsSource RPM: zziplib-0.13.74-2.mga10.src.rpm, zziplib-0.13.72-2.1.mga9.src.rpm => zziplib-0.13.72-2.1.mga9.src.rpmStatus: NEW => ASSIGNED
Keywords: (none) => advisory
RH x86_64 LC_ALL=C urpmi --auto --auto-update adding 66 new rpms not available in existing hdlist replacing /var/cache/urpmi/partial/synthesis.hdlist.cz with synthesis.hdlist.cz.tmp updating /var/cache/urpmi/partial/MD5SUM updated medium "QA Testing (32-bit)" medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64zziplib13-0.13.72-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: lib64zziplib13 ################################################################################################## 1/1: removing lib64zziplib13-0.13.72-2.1.mga9.x86_64 ################################################################################################## LC_ALL=C urpmi zziplib-utils installing zziplib-utils-0.13.72-2.2.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/1: zziplib-utils ################################################################################################## unzip some .zip files with unzzip all the content in zip filea is restored as expected
Whiteboard: (none) => MGA9-64-OKCC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0289.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED