zlib: CVE-2023-45853

Debian Bug report logs - #1054290
zlib: CVE-2023-45853

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zlib: CVE-2023-45853

Date: Fri, 20 Oct 2023 21:44:53 +0200

Source: zlib
Version: 1:1.2.13.dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for zlib.

CVE-2023-45853[0]:
| MiniZip in zlib through 1.3 has an integer overflow and resultant
| heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
| filename, comment, or extra field. NOTE: MiniZip is not a supported
| part of the zlib product.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-45853
    https://www.cve.org/CVERecord?id=CVE-2023-45853
[1] https://github.com/madler/zlib/pull/843
[2] https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #12 received at 1054290@bugs.debian.org (full text, mbox, reply):

From: James Addison <jay@jp-hosting.net>

To: Debian Bug Tracking System <1054290@bugs.debian.org>

Subject: Re: zlib: CVE-2023-45853

Date: Sat, 21 Oct 2023 11:29:58 +0100

[Message part 1 (text/plain, inline)]

Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org

Although this bug exists in src:zlib, the only binary package affected is, I
believe, the 'minizip'[1] package.

A fix[2] for CVE-2023-45853 has been applied upstream, and is pending[3] an
upstream release.

Please find attached a patch to apply the commit containing the fix to the
Debian source package.

[1] - https://tracker.debian.org/pkg/minizip

[2] - https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c

[3] - https://github.com/madler/zlib/issues/868

[CVE-2023-45853-minizip.patch (text/plain, attachment)]

Message #17 received at 1054290@bugs.debian.org (full text, mbox, reply):

From: James Addison <jay@jp-hosting.net>

To: Debian Bug Tracking System <1054290@bugs.debian.org>

Subject: Re: zlib: CVE-2023-45853

Date: Sat, 21 Oct 2023 11:48:28 +0100

Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

I wrote:
> Although this bug exists in src:zlib, the only binary package affected is, I
> believe, the 'minizip'[1] package.

This turns out to be a half-truth: the affected minizip code is vendored into
other source packages, potentially requiring a larger audit.

The codesearch I used to determine that is:

https://codesearch.debian.net/search?q=filetype%3Ac+zipOpenNewFileInZip4_64&literal=0&perpkg=1

I haven't performed any callflow analysis to determine how many of those
packages make use of the affected zipOpenNewFileInZip4_64 function.

(I also accidentally omitted the security list from my previous comment, which
contains a patch based on the existing upstream fix)

Message #22 received at 1054290@bugs.debian.org (full text, mbox, reply):

From: James Addison <jay@jp-hosting.net>

To: Debian Bug Tracking System <1054290@bugs.debian.org>

Subject: Re: zlib: CVE-2023-45853

Date: Sat, 21 Oct 2023 12:04:55 +0100

Source: zlib
Followup-For: Bug #1054290
Control: tags -1 patch

Message #29 received at 1054290@bugs.debian.org (full text, mbox, reply):

From: James Addison <jay@jp-hosting.net>

To: Debian Bug Tracking System <1054290@bugs.debian.org>

Subject: Re: zlib: CVE-2023-45853

Date: Sat, 21 Oct 2023 14:01:27 +0100

[Message part 1 (text/plain, inline)]

Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

After reading the minizip/zip.c code[1], I think that the vulnerable function
is exposed for external linkage by any of the 'zipOpenNewFile*' functions.

Given that, I code-searched[2] for 'zipOpenFile' and collected the resulting
'packages.txt' file list provided under the dropdown menu.

To retrieve the corresponding source packages _for trixie_ I used the command:

  $ cat packages.txt | while read line; do apt source $line; done;

...and then to search for possible callsites, and report their filenames and
line numbers:

  $ find . -type f -name '*.c*' -exec grep -Hn zipOpenNewFile {} \; | grep -vw "minizip/minizip.c" | grep -vw "minizip/zip.c"

(note that this also filters out the vendored source files themselves,
because otherwise those would pollute the search results)

I then manually removed 'chromium' from the results because that codebase has
the patch applied[3] already (this is from upstream I believe).

Finally I manually-removed a bunch of callsites that relate to error message
text, #defines, local variables and in the case of Mono, some external
dynamic library references.

It appears to me that 34 packages in Trixie may be affected, with a total
of 59 lines of callsites to 'zipOpenFile' functions.  Please find my
assessment attached as 'trixie-callsites.txt'.

[1] - https://sources.debian.org/src/zlib/1%3A1.2.13.dfsg-1/contrib/minizip/zip.c/

[2] - https://codesearch.debian.net/search?q=zipOpenNewFile&perpkg=1

[3] - https://sources.debian.org/src/chromium/118.0.5993.70-1/third_party/zlib/contrib/minizip/zip.c/?hl=1327#L1086-L1095

[trixie-callsites.txt (text/plain, attachment)]

Send a report that this bug log contains spam.