Closed jayaddison closed 1 week ago
Kudos, SonarCloud Quality Gate passed!
Issues
0 New issues
Measures
0 Security Hotspots
No data about Coverage
No data about Duplication
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
Hi @iainrussell - apologies for the direct mention; you appeared when I checked the list of recent commits in this repository and I thought it might be worth tagging you on this PR.
This was part of a series of pull requests in that I opened in various projects after learning about CVE-2023-45853 -- a problem related to very long filenames or comments in zip files -- in minizip
, as distributed with the zlib
sources.
I'm working through some old/stale pull requests to determine whether they can be closed, and this is one of them.
I wasn't and am not super familiar with magics
(I'm not a user of it), but on inspection I notice that minizip
is used during opening of KML and GeoJSON files -- and uses fixed, short filenames, without any use of comments in those sections of code -- so I believe that this codebase is unaffected by the problem.
Even so, I'd personally generally recommend staying up-to-date with external dependency updates, because it can make future upgrades to them easier -- but I don't think there's any necessity to do so in this case. I'll likely close this pull request in a week or so's time, unless the project feels it is worthwhile to merge.
Closing this pull request; please feel free to recover the commits (git fetch origin pull/102/head:pr-102-recovered
, or similar) and apply/compare against those if they'd be useful in future.
Updates the vendored
minizip
code to v1.3.1 frommadler/zlib
.Also includes one change to the defaults in the(reverted, to avoid mixing unrelated changes)Dockerfile
, so that I could build a container image and run theselfcheck
in it. I don't know whether that proves much about the upgrade; I did find themagics-test
regression tests but haven't been able to run those yet.