For reference, the bug that caused zsync removal from testing is
https://bugs.debian.org/1075710
The patch proposed above is not a proper fix, it just adjusts the
compile flags to ignore the errors.
I had a look at the code, and indeed zsync mixes up pointer to "long
int" and "long long int" types, so I suppose the risk of buffer overflow
is real on platform where "long int" is 4 bytes.
Given that zsync development stopped long ago, it's not going to be
fixed upstream, and I don't trust myself to fix it (changing the size of
a variable in a struct, in a C code I don't know and that is full of
pointer arithmetic, doesn't seem a good idea).
I suppose the best solution would be that live-build replace zsync with
something else, or do without it altogether.
Note that zsync has only one reverse dependency, quickemu.
That were my two cents. Best,
--
Arnaud Rebillout / OffSec / Kali Linux Developer
