Bug 34954 - zlib new security issue CVE-2026-22184
Summary: zlib new security issue CVE-2026-22184
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-01-08 23:28 CET by r howard
Modified: 2026-01-11 02:08 CET (History)
4 users (show)

See Also:
Source RPM: zlib-1.2.13-1.2.mga9
CVE: CVE-2026-22184
Status comment:
j.alberto.vc: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description r howard 2026-01-08 23:28:54 CET 
Issue with zlib announced here:
https://www.cve.org/CVERecord?id=CVE-2026-22184
Nicolas Salguero 2026-01-09 10:30:12 CET

CC: (none) => nicolas.salguero
CVE: (none) => CVE-2026-22184
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 1 Nicolas Salguero 2026-01-09 10:43:00 CET 
Another reference: https://www.openwall.com/lists/oss-security/2026/01/06/5
Comment 2 Nicolas Salguero 2026-01-09 10:51:30 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname(). (CVE-2026-22184)

References:
https://www.openwall.com/lists/oss-security/2026/01/06/5
========================

Updated packages in core/updates_testing:
========================
lib(64)minizip-devel-1.2.13-1.3.mga9
lib(64)minizip1-1.2.13-1.3.mga9
lib(64)zlib-devel-1.2.13-1.3.mga9
lib(64)zlib-static-devel-1.2.13-1.3.mga9
lib(64)zlib1-1.2.13-1.3.mga9

from SRPM:
zlib-1.2.13-1.3.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

papoteur 2026-01-09 12:54:09 CET

Source RPM: zlib-1.2.13-1.2.mga9.src .rpm => zlib-1.2.13-1.2.mga9
CC: (none) => yves.brungard

katnatek 2026-01-09 22:36:40 CET

Keywords: (none) => advisory

Comment 3 katnatek 2026-01-10 02:55:25 CET 
RH x86_64

installing lib64zlib1-1.2.13-1.3.mga9.x86_64.rpm lib64minizip1-1.2.13-1.3.mga9.x86_64.rpm lib64zlib-devel-1.2.13-1.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     #####################################################################################
      1/3: lib64zlib1            #####################################################################################
      2/3: lib64minizip1         #####################################################################################
      3/3: lib64zlib-devel       #####################################################################################
      1/4: removing lib64zlib-devel-1.2.13-1.2.mga9.x86_64
                                 #####################################################################################
      2/4: removing lib64minizip1-1.2.13-1.2.mga9.x86_64
                                 #####################################################################################
      3/4: removing lib64zlib1-1.2.13-1.mga9.x86_64
                                 #####################################################################################
      4/4: removing lib64zlib1-1.2.13-1.2.mga9.x86_64
                                 #####################################################################################


strace smplayer show
openat(AT_FDCWD, "/usr/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3

strace vlc show
openat(AT_FDCWD, "/usr/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3

In the applications I have in my system just zapzap (whatsapp client) depend on
lib64minizip1 indirectly because use qtwebengine6

openat(AT_FDCWD, "/usr/lib64/libminizip.so.1", O_RDONLY|O_CLOEXEC) = 3

Flags: (none) => test_passed_mga9_64+

Comment 4 Thomas Andrews 2026-01-10 16:39:16 CET 
Validating.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2026-01-11 02:08:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0006.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.