Arch-audit risk messages

Currently arch-audit show the follow high risk messages (among many medium risk ones):

minizip is affected by arbitrary code execution. Critical risk!
grub is affected by multiple issues. High risk! Update to at least 2:2.06-1!

The grub message has been there forever. I think it’s due to some alternative versioning scheme. Or can I fix that somehow?

The minizip message has also been there for a while. Can I fix that somehow? Is there a drop-in replacement for minizip for example? Or is it already fixed and arch-audit misinterprets versions.

Are either of those message a valid current risk?
Are there other tools to check for vulnerable packages?

Hi @Gerenuk

According to the Minizip Arch page, there are many packages that rely on Minizip; Chromium, Electron25, KeepassXC, Qt5-webengine, Qt6-webengine, and telegram-desktop being just a few of the highlights.

There are probably replacements for Minizip, such as 7-zip-full, but that won’t help if you’re using any packages that depend on Minizip.

Without knowing the current state of your system, it’s unlikely anyone can answer that question with any certainty.

Please provide the output of:

inxi --admin --verbosity=7 --filter --no-host --width

to help others make a better informed guess.

Cheers.

grub cannot be considered in the same way because our packaging is different from Archs.
Thus our versioning is flagged for a non-applicable bug.

Right you are.
And no, I dont know of any way to avoid it besides forking or hacking up the application.

At least on my system minizip is required for portions of the desktop … so it is not replaceable.
(which is a shame, because it seems somewhat redundant… but that could be ignorance on my part)

Since we had this discussion before…arch audit generates a lot of false positives in manjaro and should not be used, the developers even wanted to remove it from repo to avoid unnecessary panic.

1 Like

Its roughly only the one package … yochanon took that position … then reversed it.