CVE-2023-45853

Name	CVE-2023-45853
Description	MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3670-1
Debian Bugs	1054290, 1056718

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
minizip (PTS)	bullseye	1.1-8+deb11u1	fixed
	bookworm	1.1-8+deb12u1	fixed
zlib (PTS)	bullseye (security), bullseye	1:1.2.11.dfsg-2+deb11u2	vulnerable
	bookworm	1:1.2.13.dfsg-1	vulnerable
	sid, trixie	1:1.3.dfsg+really1.3.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
minizip	source	buster	1.1-8+deb10u1	DLA-3670-1
minizip	source	bullseye	1.1-8+deb11u1
minizip	source	bookworm	1.1-8+deb12u1
minizip	source	(unstable)	(unfixed)		1056718
zlib	source	(unstable)	1:1.3.dfsg-2		1054290

Notes

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[bullseye] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[buster] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
https://github.com/madler/zlib/pull/843
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2
For older suites due to this an update can be ignored as no binary package built
by the vulnerable source is affected (i.e. contrib/minizip not built and provided
in those versions).