CVE-2023-45853

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
zlibzlib
𝑥
< 1.3.1
smihicapyminizip
𝑥
≤ 0.2.6
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
zlibzlib
𝑥
< 1.3
ADP
Debian logo
Debian Releases
Debian Product
Codename
minizip
bookworm
1.1-8+deb12u1
ignored
bullseye
1.1-8+deb11u1
ignored
buster
ignored
zlib
bookworm
ignored
bullseye
ignored
bullseye (security)
vulnerable
buster
ignored
sid
1:1.3.dfsg+really1.3.1-1
fixed
trixie
1:1.3.dfsg+really1.3.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
klibc
bionic
not-affected
focal
not-affected
jammy
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
not-affected
xenial
not-affected
rsync
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
not-affected
xenial
not-affected
zlib
bionic
not-affected
focal
not-affected
jammy
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
Fixed 1:1.2.8.dfsg-1ubuntu1.1+esm3
released
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libminizip1
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
libz1
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 12 SP5
1.2.11-11.37.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP3
1.2.8-12.12.1
fixed
suse enterprise server 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
libz1-32bit
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 12 SP5
1.2.11-11.37.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP3
1.2.8-12.12.1
fixed
suse enterprise server 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
minizip-devel
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
zlib-devel
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 12 SP5
1.2.11-11.37.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP3
1.2.8-12.12.1
fixed
suse enterprise server 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
zlib-devel-32bit
suse enterprise sap 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
zlib-devel-static
suse enterprise desktop 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 12 SP5
1.2.11-11.37.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP5
1.2.11-11.37.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.48.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html
http://www.openwall.com/lists/oss-security/2023/10/20/9
http://www.openwall.com/lists/oss-security/2024/01/24/10
https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
https://github.com/madler/zlib/pull/843
https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
https://pypi.org/project/pyminizip/#history
https://security.gentoo.org/glsa/202401-18
https://security.netapp.com/advisory/ntap-20231130-0009/
https://www.winimage.com/zLibDll/minizip.html