search

backuppc / backuppc-xs

BackupPC::XS implements various BackupPC functions in a perl-callable module.
21 stars 7 forks source link

CVE in zlib bundled in BackupPC-XS #9

Open hobbes1069 opened 2 years ago

hobbes1069 commented 2 years ago

Meant to post the other on here instead of main backuppc...

https://bugzilla.redhat.com/show_bug.cgi?id=2067945

Upstream fix in 1.2.12 https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

xtaran commented 1 year ago

If BackupPC::XS wouldn't bundle zlib code but rely on distributions to provide and update the zlib packages, this wouldn't be an issue at all.

Actually Debian patches out the usage of the embedded zlib copy in their libbackuppc-xs-perl package for exactly that reason.

So please just drop the embedded zlib code and list it as build dependency.

Neustradamus commented 1 year ago

To follow this ticket