Bug #1091383 [src:pagure] pagure: CVE-2024-47515
Added tag(s) pending.

I suspect that the generate_archive patch has a bug: zf.writestr(zi,
path) sets the file contents of the symlink in the zip (i.e. the
filename it points to) to path (the filename of the original symlink,
not the filename it points to). Hence, it creates a symlink to itself,
not a symlink to whatever the original symlink pointed to. The included
tests don't notice because they don't check where the symlink points to.

However, I don't know whether the obvious way to fix that would
introduce new security problems.

Your message dated Mon, 20 Jan 2025 08:41:20 +0000
with message-id <E1tZnLU-00FHON-***@fasolo.debian.org>
and subject line Bug#1091383: fixed in pagure 5.14.1+dfsg-1
has caused the Debian Bug report #1091383,
regarding pagure: CVE-2024-47515 CVE-2024-47516 CVE-2024-4981 CVE-2024-4982
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)