[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE (Critical + High) in bookworm image

On Wed, Nov 22, 2023 at 01:34:49PM -0600, David Wright wrote:
> AFAICT zipOpenNewFileInZip4_64 is only contained in
> /usr/lib/x86_64-linux-gnu/libminizip.so.1.0.0 which is from package
> libminizip1_1~b1_amd64.deb.
> 
> In Debian, it would appear that minizip was split off from zlib1g
> a decade ago.
> 
> zlib (1:1.2.8.dfsg-2) unstable; urgency=low
>   
>   * Drop zlib-bin package as minizip has now been packaged separately,
>     delay due to lack of notice regarding upload (closes: #753070).
> 
>  -- Mark Brown <broonie@debian.org>  Sat, 16 Aug 2014 15:12:11 +0100

unicorn:~$ apt-cache show zlib1g
[...]
Source: zlib
[...]
Homepage: http://zlib.net/

unicorn:~$ apt-cache show libminizip1
[...]
Source: minizip (1.1-8)
[...]
Homepage: http://www.winimage.com/zLibDll/minizip.html


Looks like Debian's minizip (including libminizip1) was sourced from a
separate location, rather than being split apart from zlib.

On the other hand, I cannot find zipOpen in
/lib/x86_64-linux-gnu/libz.so.1.2.13 either (I used nm -D ... | less),
so perhaps the minizip portion of zlib is not included during the build.
If that's true, then the package should be marked as "not vulnerable".
Reply to: