CVE-2023-45853

NameCVE-2023-45853
DescriptionMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3670-1
Debian Bugs1054290, 1056718

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
minizip (PTS)bullseye1.1-8+deb11u1fixed
bookworm1.1-8+deb12u1fixed
zlib (PTS)bullseye (security), bullseye1:1.2.11.dfsg-2+deb11u2vulnerable
bookworm1:1.2.13.dfsg-1vulnerable
sid, trixie1:1.3.dfsg+really1.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
minizipsourcebuster1.1-8+deb10u1DLA-3670-1
minizipsourcebullseye1.1-8+deb11u1
minizipsourcebookworm1.1-8+deb12u1
minizipsource(unstable)(unfixed)1056718
zlibsource(unstable)1:1.3.dfsg-21054290

Notes

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[bullseye] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[buster] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
https://github.com/madler/zlib/pull/843
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2
For older suites due to this an update can be ignored as no binary package built
by the vulnerable source is affected (i.e. contrib/minizip not built and provided
in those versions).

Search for package or bug name: Reporting problems