Ubuntu
libzstd package

MIR libzstd

Bug #1755310 reported by Dimitri John Ledkov
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libzstd (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

[Availability]

 * In Universe, on all supported arches, since xenial

[Rationale]

 * In use by btrfs-progs[-udeb] in main
 * To be used by apt & dpkg
 * Already in use by the kernel for initramfs compression, however that is using in-kernel implementation

[Security]

 * https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=zstd -> none
 * Hardenening flags is available
 * There are some compiler warnings

[Quality assurance]

 * Maintained in debian med team
 * xnox has upload rights, and fixed up for it to be Multi-arch sane
 * testsuite is enabled and passing
 * lacks autopkgtests, could be added to run the test-suite

[Dependencies]

 * Currently has only glibc as depedency
 * Command line tool can be compiled with gzip (already eanbled), xz/lzma/lz4 (not enabled), thus making the zstd util to cover all cases of compress/decompress/cat/less for any of these algos.

[Standards compliance]

 * Complies with debian packaging guidelines
 * Currently does not build reproducibly

[Maintenance]

 * Med, D-I teams in Debian, and foundations in Ubuntu

[Background information]

 * A new compression algorithm from facebook, which is comparable to gzip, yet faster / less resource intensive than xz.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

foundations-bugs subscribed

Changed in libzstd (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → MIR approval team (ubuntu-mir)
Revision history for this message
Matthias Klose (doko) wrote :

that looks ok

Override component to main
libzstd 1.3.3+dfsg-2ubuntu1 in bionic: universe/misc -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic amd64: universe/libdevel/optional/100% -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic arm64: universe/libdevel/optional/100% -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic armhf: universe/libdevel/optional/100% -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic i386: universe/libdevel/optional/100% -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic ppc64el: universe/libdevel/optional/100% -> main
libzstd-dev 1.3.3+dfsg-2ubuntu1 in bionic s390x: universe/libdevel/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic amd64: universe/libs/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic arm64: universe/libs/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic armhf: universe/libs/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic i386: universe/libs/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic ppc64el: universe/libs/optional/100% -> main
libzstd1 1.3.3+dfsg-2ubuntu1 in bionic s390x: universe/libs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic amd64: universe/oldlibs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic arm64: universe/oldlibs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic armhf: universe/oldlibs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic i386: universe/oldlibs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic ppc64el: universe/oldlibs/optional/100% -> main
libzstd1-dev 1.3.3+dfsg-2ubuntu1 in bionic s390x: universe/oldlibs/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic amd64: universe/debian-installer/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic arm64: universe/debian-installer/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic armhf: universe/debian-installer/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic i386: universe/debian-installer/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic ppc64el: universe/debian-installer/optional/100% -> main
libzstd1-udeb 1.3.3+dfsg-2ubuntu1 in bionic s390x: universe/debian-installer/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic amd64: universe/utils/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic arm64: universe/utils/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic armhf: universe/utils/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic i386: universe/utils/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic ppc64el: universe/utils/optional/100% -> main
zstd 1.3.3+dfsg-2ubuntu1 in bionic s390x: universe/utils/optional/100% -> main
31 publications overridden.

Changed in libzstd (Ubuntu):
status: Confirmed → Fix Released
assignee: MIR approval team (ubuntu-mir) → nobody
Revision history for this message
Balint Reczey (rbalint) wrote :

Dpkg in xenial-proposed now depends on libzstd, but it has open CVEs:
https://ubuntu.com/security/cve?q=&package=libzstd

As I understand dpkg is not affected because it does not use the zstd command and does not implement compression.

To not introduce CVE-2021-24031 and CVE-2021-24032 the zstd binary package could be kept in universe like in later releases.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Ack from the Ubuntu Security team for moving libztsd into main in xenial.

(There is a third CVE believed to be affecting libzstd/xenial as well, CVE-2019-11922)

Revision history for this message
Matthias Klose (doko) wrote :

someboday already did that without touching the bug report:

Changed in libzstd (Ubuntu Xenial):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.