Debian Bug report logs -
#1029038
zip4j: CVE-2023-22899
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 16 Jan 2023 19:33:05 UTC
Severity: important
Tags: security, upstream
Fixed in version zip4j/2.11.2-3
Done: tony mancill <tmancill@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#1029038
; Package src:zip4j
.
(Mon, 16 Jan 2023 19:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Mon, 16 Jan 2023 19:33:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zip4j
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for zip4j.
CVE-2023-22899[0]:
| Zip4j through 2.11.2, as used in Threema and other products, does not
| always check the MAC when decrypting a ZIP archive.
https://github.com/srikanth-lingala/zip4j/issues/485
https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-22899
https://www.cve.org/CVERecord?id=CVE-2023-22899
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Jan 2023 19:39:03 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug#1029038.
(Mon, 16 Jan 2023 20:21:02 GMT) (full text, mbox, link).
Message #10 received at 1029038-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1029038 in zip4j reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/zip4j/-/commit/a0c10886cc7b18cef2f4568926a7d4a80e901316
------------------------------------------------------------------------
Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1029038
Added tag(s) pending.
Request was from Tony Mancill <noreply@salsa.debian.org>
to 1029038-submitter@bugs.debian.org
.
(Mon, 16 Jan 2023 20:21:02 GMT) (full text, mbox, link).
Reply sent
to tony mancill <tmancill@debian.org>
:
You have taken responsibility.
(Mon, 16 Jan 2023 20:51:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Mon, 16 Jan 2023 20:51:05 GMT) (full text, mbox, link).
Message #17 received at 1029038-close@bugs.debian.org (full text, mbox, reply):
Source: zip4j
Source-Version: 2.11.2-3
Done: tony mancill <tmancill@debian.org>
We believe that the bug you reported is fixed in the latest version of
zip4j, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1029038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated zip4j package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jan 2023 12:12:37 -0800
Source: zip4j
Architecture: source
Version: 2.11.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1029038
Changes:
zip4j (2.11.2-3) unstable; urgency=high
.
* Team upload.
.
[ Debian Janitor ]
* Remove constraints unnecessary since buster (oldstable)
.
[ tony mancill ]
* Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
* Freshen years in debian/copyright
* Bump Standards-Version to 4.6.2
Checksums-Sha1:
72968824c56977c71f03f1661fb99c9f21050c62 1991 zip4j_2.11.2-3.dsc
15fd7e329e9ddf7ba3c7dd3832505d8ed0182977 4584 zip4j_2.11.2-3.debian.tar.xz
a207fbef5d2a427716b3acfff850ed520034f030 14284 zip4j_2.11.2-3_amd64.buildinfo
Checksums-Sha256:
435b90bf1c6ff5fb508bf868a52b98e1066f244148093ca3754af1c7f425b288 1991 zip4j_2.11.2-3.dsc
37ca70cc6b079f801b9f67912973e8d38c9708f91e0660acda9069129db20fb3 4584 zip4j_2.11.2-3.debian.tar.xz
8ba1bfb8aace8173d77681de0bc819cbd4a23c8eee246ee25a2ded0a87153880 14284 zip4j_2.11.2-3_amd64.buildinfo
Files:
fd7137963c76bc9600b71b973e72e759 1991 java optional zip4j_2.11.2-3.dsc
2ed0568e0cf632321fb4ce7b5831f028 4584 java optional zip4j_2.11.2-3.debian.tar.xz
bd494bdb98e5f0f726062afa3fb2309e 14284 java optional zip4j_2.11.2-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmPFsMAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYF+RAAzZwOIAgyy20QOgxjfcpJg0M2IciK
MgtCDrTIhMVzy4Jwtdcs6CYZvHBMR6Z4oChA6s4RbbFrsdk797cLkXtnBgu1TXsP
F5dTFCsEIkc/7fU2Khc9M/FLGoFlSypWzbL7w1+/rH2jKV0gFvuvlIDt1WpCPmR3
XG43XbSExOXE0AWWh4aHdzxJbPNA/Kenow+atezNc1lNJtF35UaMIqrwvupORrz/
h+gO/apA4tKOGjjlArxqiViWgi9JGZ5mlmDt4YWvANehkoBngeMuH/jbr+VDUqtb
y5YOTAFKwbGRJ+wRL8HZeRWxoun3c0dK8zX/yQ27JPihGVYa2qYbXjwneF+C8FfA
dYmzV9ILoV2TBl6SZn8103pTOS4rG+SGqlw7mifSAApVX8PJx3S4716/7Ly8r9ab
XNEMpBFyyi19ZSmBmdewl1208McDGjle2lFMg6xhZzdtwser3iqluVZU56+dFPT/
uYWZ33AYfQAlFB2oCo+iIfTuaGt25jJ1GCL7zinIbU57Oao4QJlNEgwCiLE85x2C
DHs2ZTMWClQDfbDSWQU3mG3iMOuTFdjKvd8vG33QZqyEEp2F3ifyRWNfvlBVW/0p
SyL1CfB6dgtfuDgqnwcudCrxOU/X97L8mkWUSdX1eV4dYB17db/D6shUjnn3D+qb
W53G58f0i5vOoII=
=9nnh
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Jan 17 13:04:44 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.