Hi ,

Recently we found vulnerability related to zlib in 3.18.3 and 3.18.4. These two versions are almost latest versions. Could you please let us know by when a new version will get released with the zlib patch ?

Thanks,
Alekh

On Fri, 20 Oct 2023 08:12:04 +0000
"Alekh Kanubothula (Nokia)" <alekh.kanubothula@nokia.com> wrote:

> Hi ,
> 
> Recently we found vulnerability related to zlib in 3.18.3 and 3.18.4.
> These two versions are almost latest versions. Could you please let
> us know by when a new version will get released with the zlib patch ?

Hi,

This vulnerability is in contrib/minizip.
https://nvd.nist.gov/vuln/detail/CVE-2023-45853

The fix also confirms that this is a problem in contrib/minizip/zip.c:
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c

To my knowledge we never built this binary or shipped it in any package,
ever, so there is nothing to for us to fix.

https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge

Thanks!

-nc

we do, it is a dependency of a few packages, including chromium
https://pkgs.alpinelinux.org/packages?name=minizip&branch=edge&repo=&arch=&maintainer= 

there also is a fork of it packaged, I think this should be checked too, but that's in testing
https://pkgs.alpinelinux.org/packages?name=minizip-ng&branch=edge&repo=&arch=&maintainer=

Natanael Copa <ncopa@alpinelinux.org> schreef op 20 oktober 2023 10:50:06 CEST:
>On Fri, 20 Oct 2023 08:12:04 +0000
>"Alekh Kanubothula (Nokia)" <alekh.kanubothula@nokia.com> wrote:
>
>> Hi ,
>> 
>> Recently we found vulnerability related to zlib in 3.18.3 and 3.18.4.
>> These two versions are almost latest versions. Could you please let
>> us know by when a new version will get released with the zlib patch ?
>
>Hi,
>
>This vulnerability is in contrib/minizip.
>https://nvd.nist.gov/vuln/detail/CVE-2023-45853
>
>The fix also confirms that this is a problem in contrib/minizip/zip.c:
>https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
>
>To my knowledge we never built this binary or shipped it in any package,
>ever, so there is nothing to for us to fix.
>
>https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge
>
>Thanks!
>
>-nc

-- 
lauren n. liberda
it/she

merged and built in both edge and 3.18 for the minizip package, `apk 
upgrade` now!

minizip-ng diverged a lot from the upstream minizip, patch does not 
apply. nothing in aports seems to depend on it yet, so not much of a 
worry. waiting for a response from them.

On 10/20/23 15:21, lauren n. liberda wrote:
> we do, it is a dependency of a few packages, including chromium
> https://pkgs.alpinelinux.org/packages?name=minizip&branch=edge&repo=&arch=&maintainer= 
> <https://pkgs.alpinelinux.org/packages?name=minizip&branch=edge&repo=&arch=&maintainer=> 
>
>
> there also is a fork of it packaged, I think this should be checked 
> too, but that's in testing
> https://pkgs.alpinelinux.org/packages?name=minizip-ng&branch=edge&repo=&arch=&maintainer= 
> <https://pkgs.alpinelinux.org/packages?name=minizip-ng&branch=edge&repo=&arch=&maintainer=>
>
>
> Natanael Copa <ncopa@alpinelinux.org> schreef op 20 oktober 2023 
> 10:50:06 CEST:
>
>     On Fri, 20 Oct 2023 08:12:04 +0000 "Alekh Kanubothula (Nokia)"
>     <alekh.kanubothula@nokia.com> wrote:
>
>         Hi , Recently we found vulnerability related to zlib in 3.18.3
>         and 3.18.4. These two versions are almost latest versions.
>         Could you please let us know by when a new version will get
>         released with the zlib patch ? 
>
>     Hi, This vulnerability is in contrib/minizip.
>     https://nvd.nist.gov/vuln/detail/CVE-2023-45853 The fix also
>     confirms that this is a problem in contrib/minizip/zip.c:
>     https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
>     To my knowledge we never built this binary or shipped it in any
>     package, ever, so there is nothing to for us to fix.
>     https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge
>     <https://pkgs.alpinelinux.org/contents?file=minizip&path=&name=&branch=edge>
>     Thanks! -nc
>
> -- 
> lauren n. liberda
> it/she

-- 
lauren n. liberda
https://liberda.nl/