Received: from mail.sakamoto.pl (mail.sakamoto.pl [185.236.240.130]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 4FD5B226005 for <~alpine/users@lists.alpinelinux.org>; Fri, 20 Oct 2023 13:21:16 +0000 (UTC) Authentication-Results: mail.sakamoto.pl; auth=pass (plain) Date: Fri, 20 Oct 2023 15:21:13 +0200 From: "lauren n. liberda" To: ~alpine/users@lists.alpinelinux.org Subject: Re: Zlib vulnerability CVE-2023-45853 in 3.18.3 and 3.18.4 User-Agent: K-9 Mail for Android In-Reply-To: <20231020105006.151d0e30@ncopa-desktop.lan> References: <20231020105006.151d0e30@ncopa-desktop.lan> Message-ID: <619DE186-52B3-4768-9D93-72AC9DC693EE@selfisekai.rocks> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=----UPKMEBIB4DZPPRJYX40YQ0UTU98HIU Content-Transfer-Encoding: 7bit Autocrypt: addr=lauren@selfisekai.rocks; keydata= mDMEYaLBIRYJKwYBBAHaRw8BAQdAHwoXgZMofI3Z22nxVkliJDTf9zIjr6fJI7+G4pbKZ+m0L0xh dXJlbiBOaWtpdGEgTGliZXJkYSA8bGF1cmVuQHNlbGZpc2VrYWkucm9ja3M+iJYEExYIAD4WIQSh bzqxOa7ko2NdGe1zTGKf0EvTGQUCYaLBIQIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX gAAKCRBzTGKf0EvTGe54AQDaR1OAwFcpQcL3j98w97jESJ5JDc8Ql0EZpy+1A7WagwD/WK8EJvB3 0mn+sAu6qjtRv4yhLlgsMDgzg3L7bilFWg64OARhosEhEgorBgEEAZdVAQUBAQdAY/EUAJN5dhqy vGrOkD98a2l5aSFmXIx7+PR8SP45vAUDAQgHiH4EGBYIACYWIQShbzqxOa7ko2NdGe1zTGKf0EvT GQUCYaLBIQIbDAUJCWYBgAAKCRBzTGKf0EvTGZmjAQC2bTw5Symip9xgkJdoDeQjnADyQsCHt8nE Qwcsj5LU2QD/XnAgXn3b34bfgkdzyQCGAT4+K6Ifsfq59rhnDnhshwY= X-Haraka-GeoIP: NL Received: from localhost (Unknown [127.0.0.1]) by mail.sakamoto.pl (Haraka/3.0.2) with ESMTPSA id E7D129FC-F308-423A-B505-DAED59DD4B8D.1 envelope-from tls TLS_AES_256_GCM_SHA384 (authenticated bits=0); Fri, 20 Oct 2023 15:21:14 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=selfisekai.rocks; s=s20191112983; h=from:subject:date:message-id:to:mime-version; bh=ebwtSvtyqW6lHMHfQDKQ0VGappbfgDxM7D8PpyCuWso=; b=KvL7uBot3GE3WVssV0hR01lpvMFBohwDeWJBtXre/TIS1ZayS/wZK7zgnxC60U9KzKx78tWEKD G1EML04JAmUaryJ7Ha30KqzuuOusocdWn5bN3PLJnopRreDscrGfC3sSi7slwQyPNVYOWf2pM38e plcGw5sd2F4zEi3/UUKAnMXabox7p03jfNJyCdZJCLPd8/5/4NYvXY+/k0vXIB+4KLKoIX4k9PQD 9qrMexV/UNcKXlpXgh5Xax6ngOXQFSJhEyuGOtvhPItSejw61YXkOmDOM5wxVB4kBKlhhH6dIHww 2WCgg1F4+2LlcjlVmBvrdhxfNosGThLpnbk9WWWw== ------UPKMEBIB4DZPPRJYX40YQ0UTU98HIU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable we do, it is a dependency of a few packages, including chromium https://pkgs=2Ealpinelinux=2Eorg/packages?name=3Dminizip&branch=3Dedge&rep= o=3D&arch=3D&maintainer=3D=20 there also is a fork of it packaged, I think this should be checked too, b= ut that's in testing https://pkgs=2Ealpinelinux=2Eorg/packages?name=3Dminizip-ng&branch=3Dedge&= repo=3D&arch=3D&maintainer=3D Natanael Copa schreef op 20 oktober 2023 10:50:0= 6 CEST: >On Fri, 20 Oct 2023 08:12:04 +0000 >"Alekh Kanubothula (Nokia)" wrote: > >> Hi , >>=20 >> Recently we found vulnerability related to zlib in 3=2E18=2E3 and 3=2E1= 8=2E4=2E >> These two versions are almost latest versions=2E Could you please let >> us know by when a new version will get released with the zlib patch ? > >Hi, > >This vulnerability is in contrib/minizip=2E >https://nvd=2Enist=2Egov/vuln/detail/CVE-2023-45853 > >The fix also confirms that this is a problem in contrib/minizip/zip=2Ec: >https://github=2Ecom/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f= 787d10c > >To my knowledge we never built this binary or shipped it in any package, >ever, so there is nothing to for us to fix=2E > >https://pkgs=2Ealpinelinux=2Eorg/contents?file=3Dminizip&path=3D&name=3D&= branch=3Dedge > >Thanks! > >-nc --=20 lauren n=2E liberda it/she ------UPKMEBIB4DZPPRJYX40YQ0UTU98HIU Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

we do, it is a dependency of a f= ew packages, including chromium
https://pkgs=2Ealpinelinux=2Eorg/packages?name=3Dminizip&= branch=3Dedge&repo=3D&arch=3D&maintainer=3D=C2=A0

th= ere also is a fork of it packaged, I think this should be checked too, but = that's in testing
https://pkgs=2Ealpinelinux=2Eorg/packages?name=3Dminizip-ng&branch= =3Dedge&repo=3D&arch=3D&maintainer=3D

Natanael Copa <ncopa@alpinelinux=2E= org> schreef op 20 oktober 2023 10:50:06 CEST:

On Fri, 20 Oct 2023 08:12:04 +0000=

"Alekh Kanubothula (Nokia)" <alekh=2Ekanubothula@nokia=2Ecom> wro=
te:

Hi ,

Recently we found vulnerability related to zlib in 3=
=2E18=2E3 and 3=2E18=2E4=2E
These two versions are almost latest version=
s=2E Could you please let
us know by when a new version will get release=
d with the zlib patch ?

Hi,
=

This vulnerability is in contrib/minizip=2E
https://nvd=2Enist=2Egov/vuln/det=
ail/CVE-2023-45853

The fix also confirms that this is a problem =
in contrib/minizip/zip=2Ec:
https://github=2Ecom/madle=
r/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c

To my kno=
wledge we never built this binary or shipped it in any package,
ever, so=
 there is nothing to for us to fix=2E

https://pkgs=2Ealpinelinux=2Eorg/contents?file=3Dminizip&path=3D&=
amp;name=3D&branch=3Dedge

Thanks!

-nc

-- lauren n=2E liberda
it/she

------UPKMEBIB4DZPPRJYX40YQ0UTU98HIU--