[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE-2023-45853: overflows in MiniZip in zlib through 1.3
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2024-01-24 19:31:36
Message-ID: f9f01b3b-a4cd-444e-bc3f-ad602ff8d587 () oracle ! com
[Download RAW message or body]

On 10/20/23 11:42, Alan Coopersmith wrote:
> CVE-2023-45853 was published last week for:
> 
>     MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based
>     buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or
>     extra field. NOTE: MiniZip is not a supported part of the zlib product.
> 
> where "long" means "longer than can be stored in the 16-bit length value used
> for the length of these fields".
> 
> minizip is part of the contrib directory in zlib, which doesn't seem to be built
> by default as far as I can tell, yet NVD has assigned a CVSS of 9.8 to make CVE
> scanners scream at full volume, while Red Hat went with a CVSS of 5.3 instead:
> 
> https://access.redhat.com/security/cve/CVE-2023-45853#cve-cvss-v3
> 
> A fix has been checked into the upstream git repo:
> https://github.com/madler/zlib/pull/843
> but a release has not yet been made including it.

The fix was included in this week's zlib 1.3.1 release:
https://github.com/madler/zlib/releases/tag/v1.3.1

That release also contains a fix for CVE-2014-9485, a path traversal
vulnerability, in the miniunz program from the minizip contrib directory:
https://github.com/madler/zlib/commit/14a5f8f266c16c87ab6c086fc52b770b27701e01

-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

[prev in list] [next in list] [prev in thread] [next in thread]