Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#74851 - [lrzip] [security] CVE-2018-5786
Attached to Project:
Community Packages
Opened by T.J. Townsend (blakkheim) - Wednesday, 25 May 2022, 16:30 GMT
Last edited by Leonidas Spyropoulos (inglor) - Friday, 27 May 2022, 07:58 GMT
Opened by T.J. Townsend (blakkheim) - Wednesday, 25 May 2022, 16:30 GMT
Last edited by Leonidas Spyropoulos (inglor) - Friday, 27 May 2022, 07:58 GMT
|
DetailsDescription:
The lrzip package in [community] is vulnerable to (at least) CVE-2018-5786; possibly more because it's so outdated. The attached diff pulls in the fixes. Additional info: https://github.com/ckolivas/lrzip/commit/3495188cd8f2215a9feea201f3e05c1341ed95fb 
lrzip.diff
(0.6 KiB)
|
This task depends upon
Closed by Leonidas Spyropoulos (inglor)
Friday, 27 May 2022, 07:58 GMT
Reason for closing: Fixed
Additional comments about closing: 0.651-2
Friday, 27 May 2022, 07:58 GMT
Reason for closing: Fixed
Additional comments about closing: 0.651-2
Comment by T.J. Townsend (blakkheim) -
Thursday, 26 May 2022, 18:26 GMT
- Field changed: Percent Complete (100% → 0%)
CVE was not fixed, maintainer did not read report.
Comment by T.J. Townsend (blakkheim) -
Thursday, 26 May 2022, 19:06 GMT
The latest release does not contain the fix, so it needs to be cherry-picked as is done in the submitted patch.