CVE-2023-45853

EUVD-2023-2778
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
zlibzlib
𝑥
< 1.3.1
smihicapyminizip
𝑥
≤ 0.2.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
minizip
bookworm
1.1-8+deb12u1
ignored
bullseye
1.1-8+deb11u1
ignored
buster
ignored
zlib
bookworm
ignored
bullseye
ignored
bullseye (security)
vulnerable
buster
ignored
sid
1:1.3.dfsg+really1.3.1-1
fixed
trixie
1:1.3.dfsg+really1.3.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
klibc
bionic
not-affected
focal
not-affected
jammy
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
not-affected
xenial
not-affected
rsync
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
not-affected
xenial
not-affected
zlib
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
Fixed 1:1.2.8.dfsg-1ubuntu1.1+esm3
released
xenial
not-affected
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html