[FFe] upgrade libzip to version 1.5.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libzip (Debian) |
Fix Released
|
Unknown
|
|||
libzip (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Feature Freeze Justification
=======
This release fixes to two CVE's and most notably has removed its custom AES crypto implementation with using openssl libraries. It is for the security reasons I am requesting this FFe this late in the cycle.
Other Changes:
- A bunch of bug fixes
- A number of new features like bzip2 (this optional and could be disabled for 18.04), improved AES encryption support, some of the new features are other platforms only
- Breaks API (only 1 symbol was removed though), soname bump, so will require a mini transition, all the 24 reverse-depends that I count are in universe. Some are seeded in flavours (see below)
- Build system switched to Cmake in latest release
- Ark will build with libzip support where it didnt before
Testing:
It has a fairly comprehensive test suite, all tests are now passing.
I have run a test rebuild for all the rdepends in ppa:darkxst/libzip. All built successfully, except for 2 packages, cbmc and plume-creater that had unrelated fallout due to gcc7 and other packaging changes (fixed on PPA).
Other Notes:
- Various fixes (rpath, man page syntax, leaky private symbols and pkg-config fixes) have been committed upstream and will be released soon in a 1.5.1 release, cherry-picked patches for now
- I will also push for the update into Debian
Reverse-depends of libzip4 that are seeded:
ark (from ark) is seeded in:
kubuntu: daily-live
lubuntu-next: daily-live
ideviceinstaller is seeded in:
ubuntu-mate: daily-live
libepub0 is seeded in:
kubuntu: daily-live
ubuntustudio: dvd
libpstoedit0c2a is seeded in:
kubuntu: supported
okular-
kubuntu: daily-live
Upstream Changelog
==================
1.5.0 [2018-03-11]
==================
* Use standard cryptographic library instead of custom AES implementation.
This also simplifies the license.
* Use `clang-format` to format the source code.
* More Windows improvements.
1.4.0 [2017-12-29]
==================
* Improve build with cmake
* Retire autoconf/automake build system
* Add `zip_source_
* Add support to clone unchanged beginning of archive (instead of rewriting it).
Supported for buffer sources and on Apple File System.
* Add support for Microsoft Universal Windows Platform.
1.3.2 [2017-11-20]
==================
* Fix bug introduced in last: zip_t was erroneously freed if zip_close() failed.
1.3.1 [2017-11-19]
==================
* Install zipconf.h into ${PREFIX}/include
* Add zip_libzip_
* Fix AES tests on Linux
1.3.0 [2017-09-02]
==================
* Support bzip2 compressed zip archives
* Improve file progress callback code
* Fix zip_fdopen()
* CVE-2017-12858: Fix double free()
* CVE-2017-14107: Improve EOCD64 parsing
1.2.0 [2017-02-19]
==================
* Support for AES encryption (Winzip version), both encryption
and decryption
* Support legacy zip files with >64k entries
* Fix seeking in zip_source_file if start > 0
* Add zip_fseek() for seeking in uncompressed data
* Add zip_ftell() for telling position in uncompressed data
* Add zip_register_
1.1.3 [2016-05-28]
==================
* Fix build on Windows when using autoconf
affects: | ubuntu → libzip (Ubuntu) |
Changed in libzip (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Stephen Hope (stevehope) |
Changed in libzip (Ubuntu Bionic): | |
assignee: | Stephen Hope (stevehope) → nobody |
summary: |
- [needs packaging] upgrade libzip to version 1.20 + [FFe] upgrade libzip to version 1.5.0 |
description: | updated |
description: | updated |
Changed in libzip (Ubuntu Bionic): | |
status: | In Progress → New |
no longer affects: | libzip (Ubuntu Bionic) |
tags: | added: bionic |
description: | updated |
Changed in libzip (Debian): | |
status: | Unknown → New |
description: | updated |
Changed in libzip (Ubuntu): | |
status: | New → Fix Committed |
Changed in libzip (Debian): | |
status: | New → Fix Released |
*** This is an automated message ***
This bug is tagged needs-packaging which identifies it as a request for a new package in Ubuntu. As a part of the managing needs-packaging bug reports specification, https:/ /wiki.ubuntu. com/QATeam/ Specs/NeedsPack agingBugs, all needs-packaging bug reports have Wishlist importance. Subsequently, I'm setting this bug's status to Wishlist.