Received: from mail.sakamoto.pl (mail.sakamoto.pl [185.236.240.130]) by gbr-app-1.alpinelinux.org (Postfix) with ESMTPS id 8063B225B16 for <~alpine/users@lists.alpinelinux.org>; Fri, 20 Oct 2023 15:23:00 +0000 (UTC) Authentication-Results: mail.sakamoto.pl; auth=pass (plain) Content-Type: multipart/alternative; boundary="------------GadT0lv80VmDsFR39yolxtPX" Message-ID: <9b72dd03-78d5-44d1-84c1-b55b9057c4bd@selfisekai.rocks> Date: Fri, 20 Oct 2023 17:22:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Zlib vulnerability CVE-2023-45853 in 3.18.3 and 3.18.4 Content-Language: en-US From: "lauren n. liberda" To: ~alpine/users@lists.alpinelinux.org References: <20231020105006.151d0e30@ncopa-desktop.lan> <619DE186-52B3-4768-9D93-72AC9DC693EE@selfisekai.rocks> Autocrypt: addr=lauren@selfisekai.rocks; keydata= xjMEYaLBIRYJKwYBBAHaRw8BAQdAHwoXgZMofI3Z22nxVkliJDTf9zIjr6fJI7+G4pbKZ+nN L0xhdXJlbiBOaWtpdGEgTGliZXJkYSA8bGF1cmVuQHNlbGZpc2VrYWkucm9ja3M+wpYEExYI AD4WIQShbzqxOa7ko2NdGe1zTGKf0EvTGQUCYaLBIQIbAwUJCWYBgAULCQgHAgYVCgkICwIE FgIDAQIeAQIXgAAKCRBzTGKf0EvTGe54AQDaR1OAwFcpQcL3j98w97jESJ5JDc8Ql0EZpy+1 A7WagwD/WK8EJvB30mn+sAu6qjtRv4yhLlgsMDgzg3L7bilFWg7OOARhosEhEgorBgEEAZdV AQUBAQdAY/EUAJN5dhqyvGrOkD98a2l5aSFmXIx7+PR8SP45vAUDAQgHwn4EGBYIACYWIQSh bzqxOa7ko2NdGe1zTGKf0EvTGQUCYaLBIQIbDAUJCWYBgAAKCRBzTGKf0EvTGZmjAQC2bTw5 Symip9xgkJdoDeQjnADyQsCHt8nEQwcsj5LU2QD/XnAgXn3b34bfgkdzyQCGAT4+K6Ifsfq5 9rhnDnhshwY= In-Reply-To: <619DE186-52B3-4768-9D93-72AC9DC693EE@selfisekai.rocks> X-Haraka-GeoIP: NL X-Haraka-GeoIP-Received: 2a10:3781:30b9:1:1ac0:4dff:fe91:f37:NL Received: from localhost (Unknown [127.0.0.1]) by mail.sakamoto.pl (Haraka/3.0.2) with ESMTPSA id 61492806-4A69-430B-AFFE-ADEF7729CA4A.1 envelope-from tls TLS_AES_256_GCM_SHA384 (authenticated bits=0); Fri, 20 Oct 2023 17:22:58 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=selfisekai.rocks; s=s20191112983; h=from:subject:date:message-id:to:mime-version; bh=SEURSq8AE0TfOVZvRrHvBvYUNJ93inFB1RyWrdPCmgE=; b=Ed7nt3yOyk6POLUuNFjDElFzRmI3NRcbnemhO7Ror0IMJzA4ipk7CgFriCds3NW8WvLvkDMdRN 4voY+AHREKobhR/zpYEFhi4CTL/cPoQ8JMfRAsscIvYhJjzw3tRkaB4cdJMaAWudf6aMRJkWuYp0 nJJH/zcbuNdUf1hwYj0IWVhoP0enjs6LOaKVuSNoykiPBc5C6pq7eV85ypHJi2Ls9wcFIJXPutqp URaN2lXugozkXUhpiizXhuMkG6HKtoMI6q2DhrEDjs3pofdDWEAsH5wTY4VaiPk7mplOeV86uIAu /9W9DjSjym0XqWa+TEJysVBhZM+eY1y2c76AiRCQ== This is a multi-part message in MIME format. --------------GadT0lv80VmDsFR39yolxtPX Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit merged and built in both edge and 3.18 for the minizip package, `apk upgrade` now! minizip-ng diverged a lot from the upstream minizip, patch does not apply. nothing in aports seems to depend on it yet, so not much of a worry. waiting for a response from them. On 10/20/23 15:21, lauren n. liberda wrote: > we do, it is a dependency of a few packages, including chromium > https://pkgs.alpinelinux.org/packages?name=minizip&branch=edge&repo=&arch=&maintainer= > > > > there also is a fork of it packaged, I think this should be checked > too, but that's in testing > https://pkgs.alpinelinux.org/packages?name=minizip-ng&branch=edge&repo=&arch=&maintainer= > > > > Natanael Copa schreef op 20 oktober 2023 > 10:50:06 CEST: > > On Fri, 20 Oct 2023 08:12:04 +0000 "Alekh Kanubothula (Nokia)" > wrote: > > Hi , Recently we found vulnerability related to zlib in 3.18.3 > and 3.18.4. These two versions are almost latest versions. > Could you please let us know by when a new version will get > released with the zlib patch ? > > Hi, This vulnerability is in contrib/minizip. > https://nvd.nist.gov/vuln/detail/CVE-2023-45853 The fix also > confirms that this is a problem in contrib/minizip/zip.c: > https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c > To my knowledge we never built this binary or shipped it in any > package, ever, so there is nothing to for us to fix. > https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge > > Thanks! -nc > > -- > lauren n. liberda > it/she -- lauren n. liberda https://liberda.nl/ --------------GadT0lv80VmDsFR39yolxtPX Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit merged and built in both edge and 3.18 for the minizip package, `apk upgrade` now!

minizip-ng diverged a lot from the upstream minizip, patch does not apply. nothing in aports seems to depend on it yet, so not much of a worry. waiting for a response from them.

On 10/20/23 15:21, lauren n. liberda wrote:
we do, it is a dependency of a few packages, including chromium
https://pkgs.alpinelinux.org/packages?name=minizip&branch=edge&repo=&arch=&maintainer= 

there also is a fork of it packaged, I think this should be checked too, but that's in testing
https://pkgs.alpinelinux.org/packages?name=minizip-ng&branch=edge&repo=&arch=&maintainer=


Natanael Copa <ncopa@alpinelinux.org> schreef op 20 oktober 2023 10:50:06 CEST:
On Fri, 20 Oct 2023 08:12:04 +0000
"Alekh Kanubothula (Nokia)" <alekh.kanubothula@nokia.com> wrote:


Hi ,

Recently we found vulnerability related to zlib in 3.18.3 and 3.18.4.
These two versions are almost latest versions. Could you please let
us know by when a new version will get released with the zlib patch ?


Hi,

This vulnerability is in contrib/minizip.
https://nvd.nist.gov/vuln/detail/CVE-2023-45853

The fix also confirms that this is a problem in contrib/minizip/zip.c:
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c

To my knowledge we never built this binary or shipped it in any package,
ever, so there is nothing to for us to fix.

https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge

Thanks!

-nc
--
lauren n. liberda
it/she
-- 
lauren n. liberda
https://liberda.nl/
--------------GadT0lv80VmDsFR39yolxtPX--