CVE-2023-45853

Name	CVE-2023-45853
Description	MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3670-1, ELA-1010-1
Debian Bugs	1054290, 1056718

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
minizip (PTS)	jessie	1.1-5	vulnerable
	stretch (lts), stretch	1.1-8+deb9u1	fixed
	buster (security), buster, buster (lts)	1.1-8+deb10u1	fixed
	bullseye	1.1-8+deb11u1	fixed
	bookworm	1.1-8+deb12u1	fixed
zlib (PTS)	jessie, jessie (lts)	1:1.2.8.dfsg-2+deb8u3	vulnerable
	stretch (security)	1:1.2.8.dfsg-5+deb9u1	vulnerable
	stretch (lts), stretch	1:1.2.8.dfsg-5+deb9u2	vulnerable
	buster (security), buster, buster (lts)	1:1.2.11.dfsg-1+deb10u2	vulnerable
	bullseye (security), bullseye	1:1.2.11.dfsg-2+deb11u2	vulnerable
	bookworm	1:1.2.13.dfsg-1	vulnerable
	sid, trixie	1:1.3.dfsg+really1.3.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
minizip	source	jessie	(unfixed)	end-of-life
minizip	source	stretch	1.1-8+deb9u1		ELA-1010-1
minizip	source	buster	1.1-8+deb10u1		DLA-3670-1
minizip	source	bullseye	1.1-8+deb11u1
minizip	source	bookworm	1.1-8+deb12u1
minizip	source	(unstable)	(unfixed)			1056718
zlib	source	(unstable)	1:1.3.dfsg-2			1054290

Notes

[bookworm] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[bullseye] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
[buster] - zlib <ignored> (contrib/minizip not built and src:zlib not producing binary packages)
https://github.com/madler/zlib/pull/843
https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2
For older suites due to this an update can be ignored as no binary package built
by the vulnerable source is affected (i.e. contrib/minizip not built and provided
in those versions).
[stretch] - zlib <ignored> (contrib/minizip not built and producing binary packages, started with 1:1.2.13.dfsg-2)
[jessie] - zlib <ignored> (contrib/minizip not built and producing binary packages, started with 1:1.2.13.dfsg-2)