Re: Debian 12 security issue - please help to understand

To: debian-user@lists.debian.org
Subject: Re: Debian 12 security issue - please help to understand
From: Roberto C. Sánchez <roberto@debian.org>
Date: Wed, 29 Jan 2025 10:16:21 -0500
Message-id: <[🔎] Z5pGRdA8vgVUxbtf@localhost>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-user@lists.debian.org
In-reply-to: <[🔎] c7734d9f-70b8-4d95-b0a6-1c62a579d91b@siliconet.pl>
References: <[🔎] 7d546b2d-368e-4c91-ae73-1bd5ceff8b01@siliconet.pl> <[🔎] CAMPXz=oThjCF=XZW4QsA=1K=9L1c0uS+WYApVPieC_2rVt3MkQ@mail.gmail.com> <[🔎] b040ebb4-7e9d-4834-bf43-254214967f40@siliconet.pl> <[🔎] Z5ovd78fu8UKSdc0@mail> <[🔎] 631f9a70-295a-4c73-b552-f7a25d392374@siliconet.pl> <[🔎] Z5o8pX-GpilwjQ3A@mail> <[🔎] c7734d9f-70b8-4d95-b0a6-1c62a579d91b@siliconet.pl>

On Wed, Jan 29, 2025 at 04:04:26PM +0100, Rafał Lichwała wrote:
> 
> On 29.01.2025 3:35 PM, Hanno 'Rince' Wagner wrote:
> > > The notes say:
> > > [bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
> > > In other words, there's no point in fixing it because Debian doesn't build the vulnerable binary component.
> > > Very low priority.
> > 
> > so, this CVE is telling you about a bug which is not affecting Debians
> > zlib1g since it doesn't build minizip.
> 
> I can still find "minizip" binary in bookworm which depends on "zlib1g". So
> what does it mean that "it doesn't build minizip"?
> 
> Thanks for trying and patience :-)
> 
Yes, it still means that. The minizip binary package you are seeing
comes from a different source package, also called minizip:

https://packages.debian.org/source/bookworm/minizip

> > that is what your job is: finding out wether the bug is really
> > affecting you and if so, how to mitigate it.
> 
> So, if I use "minizip" or any other package based on vulnerable "zlib1g" in
> bookworm, that may be a security risk, right?

The minizip package in bookworm does not come from zlib1g, so this
particular vulnerability still does not apply.

Regards,

-Roberto
-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Debian 12 security issue - please help to understand
  - From: Rafał Lichwała <rafal@siliconet.pl>

References:
- Debian 12 security issue - please help to understand
  - From: Rafał Lichwała <rafal@siliconet.pl>
- Re: Debian 12 security issue - please help to understand
  - From: David <bouncingcats@gmail.com>
- Re: Debian 12 security issue - please help to understand
  - From: Rafał Lichwała <rafal@siliconet.pl>
- Re: Debian 12 security issue - please help to understand
  - From: Hanno 'Rince' Wagner <wagner@rince.de>
- Re: Debian 12 security issue - please help to understand
  - From: Rafał Lichwała <rafal@siliconet.pl>
- Re: Debian 12 security issue - please help to understand
  - From: Hanno 'Rince' Wagner <wagner@rince.de>
- Re: Debian 12 security issue - please help to understand
  - From: Rafał Lichwała <rafal@siliconet.pl>

Prev by Date: Re: Debian 12 security issue - please help to understand
Next by Date: Re: Debian 12 security issue - please help to understand
Previous by thread: Re: Debian 12 security issue - please help to understand
Next by thread: Re: Debian 12 security issue - please help to understand
Index(es):
- Date
- Thread