oss-sec mailing list archives
Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 24 Jan 2024 11:31:36 -0800
On 10/20/23 11:42, Alan Coopersmith wrote:
CVE-2023-45853 was published last week for: MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. where "long" means "longer than can be stored in the 16-bit length value used for the length of these fields". minizip is part of the contrib directory in zlib, which doesn't seem to be built by default as far as I can tell, yet NVD has assigned a CVSS of 9.8 to make CVE scanners scream at full volume, while Red Hat went with a CVSS of 5.3 instead: https://access.redhat.com/security/cve/CVE-2023-45853#cve-cvss-v3 A fix has been checked into the upstream git repo: https://github.com/madler/zlib/pull/843 but a release has not yet been made including it.
The fix was included in this week's zlib 1.3.1 release: https://github.com/madler/zlib/releases/tag/v1.3.1 That release also contains a fix for CVE-2014-9485, a path traversal vulnerability, in the miniunz program from the minizip contrib directory: https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3 Alan Coopersmith (Jan 24)