Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

zip4j: CVE-2023-22899

Related Vulnerabilities: CVE-2023-22899  

Source

Debian Bug report logs - #1029038
zip4j: CVE-2023-22899

version graph

Package: src:zip4j; Maintainer for src:zip4j is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Mon, 16 Jan 2023 19:33:05 UTC

Severity: important

Tags: security, upstream

Fixed in version zip4j/2.11.2-3

Done: tony mancill <tmancill@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1029038; Package src:zip4j. (Mon, 16 Jan 2023 19:33:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 16 Jan 2023 19:33:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: zip4j: CVE-2023-22899
Date: Mon, 16 Jan 2023 20:31:32 +0100
Source: zip4j
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for zip4j.

CVE-2023-22899[0]:
| Zip4j through 2.11.2, as used in Threema and other products, does not
| always check the MAC when decrypting a ZIP archive.

https://github.com/srikanth-lingala/zip4j/issues/485
https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-22899
    https://www.cve.org/CVERecord?id=CVE-2023-22899

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 16 Jan 2023 19:39:03 GMT) (full text, mbox, link).

Message sent on to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1029038. (Mon, 16 Jan 2023 20:21:02 GMT) (full text, mbox, link).

Message #10 received at 1029038-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>
To: 1029038-submitter@bugs.debian.org
Subject: Bug#1029038 marked as pending in zip4j
Date: Mon, 16 Jan 2023 20:17:29 +0000
Control: tag -1 pending

Hello,

Bug #1029038 in zip4j reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/zip4j/-/commit/a0c10886cc7b18cef2f4568926a7d4a80e901316

------------------------------------------------------------------------
Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1029038

Added tag(s) pending. Request was from Tony Mancill <noreply@salsa.debian.org> to 1029038-submitter@bugs.debian.org. (Mon, 16 Jan 2023 20:21:02 GMT) (full text, mbox, link).

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Mon, 16 Jan 2023 20:51:05 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Mon, 16 Jan 2023 20:51:05 GMT) (full text, mbox, link).

Message #17 received at 1029038-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1029038-close@bugs.debian.org
Subject: Bug#1029038: fixed in zip4j 2.11.2-3
Date: Mon, 16 Jan 2023 20:49:46 +0000
Source: zip4j
Source-Version: 2.11.2-3
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
zip4j, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1029038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated zip4j package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Jan 2023 12:12:37 -0800
Source: zip4j
Architecture: source
Version: 2.11.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 1029038
Changes:
 zip4j (2.11.2-3) unstable; urgency=high
 .
   * Team upload.
 .
   [ Debian Janitor ]
   * Remove constraints unnecessary since buster (oldstable)
 .
   [ tony mancill ]
   * Add patch to always check MAC - CVE-2023-22899 (Closes: #1029038)
   * Freshen years in debian/copyright
   * Bump Standards-Version to 4.6.2
Checksums-Sha1:
 72968824c56977c71f03f1661fb99c9f21050c62 1991 zip4j_2.11.2-3.dsc
 15fd7e329e9ddf7ba3c7dd3832505d8ed0182977 4584 zip4j_2.11.2-3.debian.tar.xz
 a207fbef5d2a427716b3acfff850ed520034f030 14284 zip4j_2.11.2-3_amd64.buildinfo
Checksums-Sha256:
 435b90bf1c6ff5fb508bf868a52b98e1066f244148093ca3754af1c7f425b288 1991 zip4j_2.11.2-3.dsc
 37ca70cc6b079f801b9f67912973e8d38c9708f91e0660acda9069129db20fb3 4584 zip4j_2.11.2-3.debian.tar.xz
 8ba1bfb8aace8173d77681de0bc819cbd4a23c8eee246ee25a2ded0a87153880 14284 zip4j_2.11.2-3_amd64.buildinfo
Files:
 fd7137963c76bc9600b71b973e72e759 1991 java optional zip4j_2.11.2-3.dsc
 2ed0568e0cf632321fb4ce7b5831f028 4584 java optional zip4j_2.11.2-3.debian.tar.xz
 bd494bdb98e5f0f726062afa3fb2309e 14284 java optional zip4j_2.11.2-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmPFsMAUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpYF+RAAzZwOIAgyy20QOgxjfcpJg0M2IciK
MgtCDrTIhMVzy4Jwtdcs6CYZvHBMR6Z4oChA6s4RbbFrsdk797cLkXtnBgu1TXsP
F5dTFCsEIkc/7fU2Khc9M/FLGoFlSypWzbL7w1+/rH2jKV0gFvuvlIDt1WpCPmR3
XG43XbSExOXE0AWWh4aHdzxJbPNA/Kenow+atezNc1lNJtF35UaMIqrwvupORrz/
h+gO/apA4tKOGjjlArxqiViWgi9JGZ5mlmDt4YWvANehkoBngeMuH/jbr+VDUqtb
y5YOTAFKwbGRJ+wRL8HZeRWxoun3c0dK8zX/yQ27JPihGVYa2qYbXjwneF+C8FfA
dYmzV9ILoV2TBl6SZn8103pTOS4rG+SGqlw7mifSAApVX8PJx3S4716/7Ly8r9ab
XNEMpBFyyi19ZSmBmdewl1208McDGjle2lFMg6xhZzdtwser3iqluVZU56+dFPT/
uYWZ33AYfQAlFB2oCo+iIfTuaGt25jJ1GCL7zinIbU57Oao4QJlNEgwCiLE85x2C
DHs2ZTMWClQDfbDSWQU3mG3iMOuTFdjKvd8vG33QZqyEEp2F3ifyRWNfvlBVW/0p
SyL1CfB6dgtfuDgqnwcudCrxOU/X97L8mkWUSdX1eV4dYB17db/D6shUjnn3D+qb
W53G58f0i5vOoII=
=9nnh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jan 17 13:04:44 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started