clone 854727 -1 retitle -1 zziplib: CVE-2017-5977 severity -1 important thanks
hi On Sun, Jun 04, 2017 at 11:09:40AM +0200, Moritz Muehlenhoff wrote: > Moritz Muehlenhoff wrote: > > On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote: > > > I was contacted by someone at SUSE that is working on fixing the security > > > bugs - but even if successful, I don't know how good the quality will be > > > or > > > how much testing will be able to get done before stretch is released. > > > Removal might be safest option > > > > Unfortunately removal didn't work our for stretch and will have to wait > > for buster. > > Since the stretch release is coming close and since Scott is on the LowNMU > list I've uploaded an NMU. CVE-2017-5980 isn't mentioned in the patch > names, but I've confirmed with the reproducers that it's fixed as well. > > CVE-2017-5977 still needs to be checked, it might be fixed along with > zziplib-CVE-2017-5974.patch or zziplib-CVE-2017-5976.patch, but needs > further investigation. It's only a memory overread, so if it misses > the stretch release that's not a big deal. Cloning the bug to track possibile further update for CVE-2017-5977 in the BTS, since 854727 closed with the upload. Regards, Salvatore
