Upstream's release notes/blog post [0] note that some of the fixes in this release may have security implications: "A number of accumulated bug reports had collected since the last lrzip release and since I regularly use lrzip I want to make sure it stays bug free as far as I am aware, even if I'm not planning any new features for it. As some of the changes are potentially security fixes, I urge any user to update." [0] https://ck-hack.blogspot.com/2022/02/lrzip-version-0650.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61c003d081de7195408fb32386a7afdf4ec8b5b2 commit 61c003d081de7195408fb32386a7afdf4ec8b5b2 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-03-02 02:29:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-03-02 02:31:03 +0000 app-arch/lrzip: add 0.650 Bug: https://bugs.gentoo.org/834456 Signed-off-by: Sam James <sam@gentoo.org> app-arch/lrzip/Manifest | 1 + app-arch/lrzip/lrzip-0.650.ebuild | 51 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+)
Con just released 0.651: https://ck-hack.blogspot.com/2022/03/lrzip-version-0651.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9923950a8fb3c067c6102f7175b94ecc1cbbdfaf commit 9923950a8fb3c067c6102f7175b94ecc1cbbdfaf Author: Sam James <sam@gentoo.org> AuthorDate: 2022-03-11 09:19:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-03-11 11:00:55 +0000 app-arch/lrzip: add 0.651 Not thought to fix any further vulnerabilities but it's a better stable candidate. Bug: https://bugs.gentoo.org/834456 Signed-off-by: Sam James <sam@gentoo.org> app-arch/lrzip/Manifest | 1 + app-arch/lrzip/lrzip-0.651.ebuild | 51 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+)
*** Bug 836350 has been marked as a duplicate of this bug. ***
Please cleanup
CVE-2022-28044 (https://github.com/ckolivas/lrzip/issues/216): Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.