As rubenwardy pointed out, Minetest's security notices have a central source at
the GitHub security page. That includes patch commits for each issue. So it shouldn't be difficult to backport those fixes. But the patches automatically in there if your distro just updates to 5.9.0. Actually, the latest version mentioned in a security notice as of writing was CVE-2022-35978 which OP mentioned, which was fixed in 5.6.0
I think any excuse about zstd is bogus, because it's available and packaged in free-software-only distros already. zstd is under a free software licence (dual-licensed actually and both GPL and BSD are free licences). Nor did I find any actual evidence of a patent in my
prior investigation. Trisquel 11 'aramo' actually has a zstd package. Guix, another entirely free-software package repository/distro has zstd.
As for the rANS patent, that's news to me, but
professional opinions given to The Register seem to disagree that it's important. And if there's a patent dispute, it will be between Meta Systems ("Facebook") and Microsoft, and hopefully not affect free software in the dispute - I may be naïve. As referenced on the ANS Wikipedia page,
Microsoft DirectStorage seems to use an rANS algorithm. I would suggest the patent is there to obstruct others from using a reimplementation of DirectStorage more than to harass others like Meta over zstd.
So I don't think it's about zstd. What's more likely is the Trisquel maintainers aren't keeping up to date with Minetest versions and security notices. Anyone packaging Minetest should be subscribed to the security updates provided. Of course, Trisquel's maintainers might have a problem with that given they're published on the proprietary GitHub.
A proper package maintainer of a stable distro won't update the program version, but they should be keeping up with security notices and applying patches to resolve security issues like those listed in CVEs.
My distro, Debian 12 "Bookworm" comes with 5.6.1, which is up to date against the latest published notices without needing any patches. The current oldstable version "Bullseye" packages Minetest 5.3. I downloaded the source code and it hasn't been patched against CVE-2022-35978.
Trisquel, which is based on Ubuntu, currently offers
Minetest 5.4.1. This would have been packaged by the Debian Games team, passed through I think unmodified from Ubuntu, and is now available in the Trisquel package mirrors. If there were any security patches to apply to 5.4.1, they would have to come from Ubuntu, as Debian's LTS versions went straight from 5.3 to 5.6, and 5.3 is to this day unpatched. A glance at the
source of Ubuntu 22.04's package of Minetest seems to leave it also vulnerable to CVE-2022-35978, as did the source of the
Trisquel package.
Really, it is quite a mess given Trisquel is 2 steps away from Debian. I have made some effort to check what is out there, but you can verify for yourself what your distribution' package's source code is with
apt source minetest (please also check the subdirectory
debian/patches as those are applied to the package when it's built, while the main source code is left unmodified from upstream).
It is thankfully easy to patch a system. The
security advisory points to the commit
which fixed it, and it is relatively small. It should be backportable by anyone who can update the C++ source code correctly, with minimal actual C++ knowledge.
If your distribution is affected, you can report it to the maintainers with your distro's normal bug report tools, like Debian's
reportbug. There are some processes about creating patches that package maintainers are used to but the average user doesn't really understand. You can submit a diff file to the maintainers that they should be able to sort out and add to their patch set.
Personally, this is just another good reason in my view to build from source or use the
Minetest Developers Ubuntu PPA. Stay safe out there.
