Source: zlib Followup-For: Bug #1054290 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
I wrote: > Although this bug exists in src:zlib, the only binary package affected is, I > believe, the 'minizip'[1] package. This turns out to be a half-truth: the affected minizip code is vendored into other source packages, potentially requiring a larger audit. The codesearch I used to determine that is: https://codesearch.debian.net/search?q=filetype%3Ac+zipOpenNewFileInZip4_64&literal=0&perpkg=1 I haven't performed any callflow analysis to determine how many of those packages make use of the affected zipOpenNewFileInZip4_64 function. (I also accidentally omitted the security list from my previous comment, which contains a patch based on the existing upstream fix)
