Moritz Muehlenhoff wrote:
> On Fri, Mar 24, 2017 at 07:41:03AM -0400, Scott Howard wrote:
> > I was contacted by someone at SUSE that is working on fixing the security
> > bugs - but even if successful, I don't know how good the quality will be or
> > how much testing will be able to get done before stretch is released.
> > Removal might be safest option
>
> Unfortunately removal didn't work our for stretch and will have to wait
> for buster.
Since the stretch release is coming close and since Scott is on the LowNMU
list I've uploaded an NMU. CVE-2017-5980 isn't mentioned in the patch
names, but I've confirmed with the reproducers that it's fixed as well.
CVE-2017-5977 still needs to be checked, it might be fixed along with
zziplib-CVE-2017-5974.patch or zziplib-CVE-2017-5976.patch, but needs
further investigation. It's only a memory overread, so if it misses
the stretch release that's not a big deal.
Cheers,
Moritz
