ALT-BU-2024-9627-1
Branch p10 update bulletin.
Closed vulnerabilities
BDU:2023-07116
Уязвимость функции zipOpenNewFileInZip4_64() пакета MiniZip библиотеки zlib, позволяющая нарушителю оказать воздействие на целостность, доступность и конфиденциальность защищаемой информации
Modified: 2024-12-20
CVE-2023-45853
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
- [oss-security] 20231020 CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20231020 CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- [oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3
- https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
- https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
- https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
- https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
- https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
- https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
- https://github.com/madler/zlib/pull/843
- https://github.com/madler/zlib/pull/843
- [debian-lts-announce] 20231127 [SECURITY] [DLA 3670-1] minizip security update
- [debian-lts-announce] 20231127 [SECURITY] [DLA 3670-1] minizip security update
- https://pypi.org/project/pyminizip/#history
- https://pypi.org/project/pyminizip/#history
- GLSA-202401-18
- GLSA-202401-18
- https://security.netapp.com/advisory/ntap-20231130-0009/
- https://security.netapp.com/advisory/ntap-20231130-0009/
- https://www.winimage.com/zLibDll/minizip.html
- https://www.winimage.com/zLibDll/minizip.html
Package plasma5-workspace updated to version 5.27.11-alt7 for branch p10 in task 350519.
Closed vulnerabilities
Modified: 2024-11-21
CVE-2024-36041
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.
- https://github.com/KDE/plasma-workspace/tags
- https://github.com/KDE/plasma-workspace/tags
- https://invent.kde.org/plasma/plasma-workspace/
- https://invent.kde.org/plasma/plasma-workspace/
- https://kde.org/info/security/advisory-20240531-1.txt
- https://kde.org/info/security/advisory-20240531-1.txt
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html
- https://www.x.org/releases/X11R7.7/doc/libSM/xsmp.html