CVE-2023-45853

Name
CVE-2023-45853
Description
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.winimage.com/zLibDll/minizip.html
MISC https://github.com/madler/zlib/pull/843
MISC https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
MISC https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
MISC https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
MLIST http://www.openwall.com/lists/oss-security/2023/10/20/9
cve@mitre.org https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
cve@mitre.org https://security.netapp.com/advisory/ntap-20231130-0009/
cve@mitre.org https://pypi.org/project/pyminizip/#history
cve@mitre.org https://security.gentoo.org/glsa/202401-18
cve@mitre.org http://www.openwall.com/lists/oss-security/2024/01/24/10

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:* zlib >= None <= 1.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
zlib 3.18-main 1.2.13-r1 Natanael Copa <ncopa@alpinelinux.org> fixed
zlib 3.17-main 1.2.13-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
zlib 3.16-main 1.2.12-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
zlib 3.15-main 1.2.12-r3 Natanael Copa <ncopa@alpinelinux.org> fixed
minizip 3.18-community 1.2.13-r1 Natanael Copa <ncopa@alpinelinux.org> fixed