Debian Bug report logs -
#1054290
zlib: CVE-2023-45853
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 20 Oct 2023 19:48:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions zlib/1:1.2.13.dfsg-1, zlib/1:1.2.13.dfsg-3
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
:
Bug#1054290
; Package src:zlib
.
(Fri, 20 Oct 2023 19:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
.
(Fri, 20 Oct 2023 19:48:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: zlib
Version: 1:1.2.13.dfsg-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for zlib.
CVE-2023-45853[0]:
| MiniZip in zlib through 1.3 has an integer overflow and resultant
| heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long
| filename, comment, or extra field. NOTE: MiniZip is not a supported
| part of the zlib product.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45853
https://www.cve.org/CVERecord?id=CVE-2023-45853
[1] https://github.com/madler/zlib/pull/843
[2] https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions zlib/1:1.2.13.dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 20 Oct 2023 19:54:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, Mark Brown <broonie@debian.org>
:
Bug#1054290
; Package src:zlib
.
(Sat, 21 Oct 2023 10:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to James Addison <jay@jp-hosting.net>
:
Extra info received and forwarded to list. Copy sent to carnil@debian.org, Mark Brown <broonie@debian.org>
.
(Sat, 21 Oct 2023 10:33:06 GMT) (full text, mbox, link).
Message #12 received at 1054290@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org
Although this bug exists in src:zlib, the only binary package affected is, I
believe, the 'minizip'[1] package.
A fix[2] for CVE-2023-45853 has been applied upstream, and is pending[3] an
upstream release.
Please find attached a patch to apply the commit containing the fix to the
Debian source package.
[1] - https://tracker.debian.org/pkg/minizip
[2] - https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
[3] - https://github.com/madler/zlib/issues/868
[CVE-2023-45853-minizip.patch (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
:
Bug#1054290
; Package src:zlib
.
(Sat, 21 Oct 2023 10:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James Addison <jay@jp-hosting.net>
:
Extra info received and forwarded to list. Copy sent to carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
.
(Sat, 21 Oct 2023 10:51:03 GMT) (full text, mbox, link).
Message #17 received at 1054290@bugs.debian.org (full text, mbox, reply):
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
I wrote:
> Although this bug exists in src:zlib, the only binary package affected is, I
> believe, the 'minizip'[1] package.
This turns out to be a half-truth: the affected minizip code is vendored into
other source packages, potentially requiring a larger audit.
The codesearch I used to determine that is:
https://codesearch.debian.net/search?q=filetype%3Ac+zipOpenNewFileInZip4_64&literal=0&perpkg=1
I haven't performed any callflow analysis to determine how many of those
packages make use of the affected zipOpenNewFileInZip4_64 function.
(I also accidentally omitted the security list from my previous comment, which
contains a patch based on the existing upstream fix)
Information forwarded
to debian-bugs-dist@lists.debian.org, Mark Brown <broonie@debian.org>
:
Bug#1054290
; Package src:zlib
.
(Sat, 21 Oct 2023 11:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James Addison <jay@jp-hosting.net>
:
Extra info received and forwarded to list. Copy sent to Mark Brown <broonie@debian.org>
.
(Sat, 21 Oct 2023 11:09:03 GMT) (full text, mbox, link).
Message #22 received at 1054290@bugs.debian.org (full text, mbox, reply):
Source: zlib
Followup-For: Bug #1054290
Control: tags -1 patch
Added tag(s) patch.
Request was from James Addison <jay@jp-hosting.net>
to 1054290-submit@bugs.debian.org
.
(Sat, 21 Oct 2023 11:09:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
:
Bug#1054290
; Package src:zlib
.
(Sat, 21 Oct 2023 13:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to James Addison <jay@jp-hosting.net>
:
Extra info received and forwarded to list. Copy sent to carnil@debian.org, team@security.debian.org, Mark Brown <broonie@debian.org>
.
(Sat, 21 Oct 2023 13:03:03 GMT) (full text, mbox, link).
Message #29 received at 1054290@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: zlib
Followup-For: Bug #1054290
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
After reading the minizip/zip.c code[1], I think that the vulnerable function
is exposed for external linkage by any of the 'zipOpenNewFile*' functions.
Given that, I code-searched[2] for 'zipOpenFile' and collected the resulting
'packages.txt' file list provided under the dropdown menu.
To retrieve the corresponding source packages _for trixie_ I used the command:
$ cat packages.txt | while read line; do apt source $line; done;
...and then to search for possible callsites, and report their filenames and
line numbers:
$ find . -type f -name '*.c*' -exec grep -Hn zipOpenNewFile {} \; | grep -vw "minizip/minizip.c" | grep -vw "minizip/zip.c"
(note that this also filters out the vendored source files themselves,
because otherwise those would pollute the search results)
I then manually removed 'chromium' from the results because that codebase has
the patch applied[3] already (this is from upstream I believe).
Finally I manually-removed a bunch of callsites that relate to error message
text, #defines, local variables and in the case of Mono, some external
dynamic library references.
It appears to me that 34 packages in Trixie may be affected, with a total
of 59 lines of callsites to 'zipOpenFile' functions. Please find my
assessment attached as 'trixie-callsites.txt'.
[1] - https://sources.debian.org/src/zlib/1%3A1.2.13.dfsg-1/contrib/minizip/zip.c/
[2] - https://codesearch.debian.net/search?q=zipOpenNewFile&perpkg=1
[3] - https://sources.debian.org/src/chromium/118.0.5993.70-1/third_party/zlib/contrib/minizip/zip.c/?hl=1327#L1086-L1095
[trixie-callsites.txt (text/plain, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Oct 21 17:54:45 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.