[SECURITY] [DLA 3670-1] minizip security update

2023-11-2723:14:37

lists.debian.org

minizip

integer overflow

heap-based buffer overflow

debian 10 buster

security update

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

JSON

Debian LTS Advisory DLA-3670-1 [email protected]
https://www.debian.org/lts/security/ Thorsten Alteholz
November 28, 2023 https://wiki.debian.org/LTS

Package : minizip
Version : 1.1-8+deb10u1
CVE ID : CVE-2023-45853

An issue has been found in minizip, a compression library.
When using long filenames, an integer overflow might happen, which results
in a heap-based buffer overflow in zipOpenNewFileInZip4_64().

For Debian 10 buster, this problem has been fixed in version
1.1-8+deb10u1.

We recommend that you upgrade your minizip packages.

For the detailed security status of minizip please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/minizip

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian11mipsellibminizip-dev< 1.1-8+deb11u1libminizip-dev_1.1-8+deb11u1_mipsel.deb
Debian12ppc64elminizip< 1.1-8+deb12u1minizip_1.1-8+deb12u1_ppc64el.deb
Debian11armhfminizip-dbgsym< 1.1-8+deb11u1minizip-dbgsym_1.1-8+deb11u1_armhf.deb
Debian12armellibminizip-dev< 1.1-8+deb12u1libminizip-dev_1.1-8+deb12u1_armel.deb
Debian12armellibminizip1< 1.1-8+deb12u1libminizip1_1.1-8+deb12u1_armel.deb
Debian12armhfminizip-dbgsym< 1.1-8+deb12u1minizip-dbgsym_1.1-8+deb12u1_armhf.deb
Debian11armhflibminizip1< 1.1-8+deb11u1libminizip1_1.1-8+deb11u1_armhf.deb
Debian11s390xminizip-dbgsym< 1.1-8+deb11u1minizip-dbgsym_1.1-8+deb11u1_s390x.deb
Debian12mipsellibminizip1< 1.1-8+deb12u1libminizip1_1.1-8+deb12u1_mipsel.deb
Debian10amd64libminizip1< 1.1-8+deb10u1libminizip1_1.1-8+deb10u1_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	11	mipsel	libminizip-dev	< 1.1-8+deb11u1	libminizip-dev_1.1-8+deb11u1_mipsel.deb
Debian	12	ppc64el	minizip	< 1.1-8+deb12u1	minizip_1.1-8+deb12u1_ppc64el.deb
Debian	11	armhf	minizip-dbgsym	< 1.1-8+deb11u1	minizip-dbgsym_1.1-8+deb11u1_armhf.deb
Debian	12	armel	libminizip-dev	< 1.1-8+deb12u1	libminizip-dev_1.1-8+deb12u1_armel.deb
Debian	12	armel	libminizip1	< 1.1-8+deb12u1	libminizip1_1.1-8+deb12u1_armel.deb
Debian	12	armhf	minizip-dbgsym	< 1.1-8+deb12u1	minizip-dbgsym_1.1-8+deb12u1_armhf.deb
Debian	11	armhf	libminizip1	< 1.1-8+deb11u1	libminizip1_1.1-8+deb11u1_armhf.deb
Debian	11	s390x	minizip-dbgsym	< 1.1-8+deb11u1	minizip-dbgsym_1.1-8+deb11u1_s390x.deb
Debian	12	mipsel	libminizip1	< 1.1-8+deb12u1	libminizip1_1.1-8+deb12u1_mipsel.deb
Debian	10	amd64	libminizip1	< 1.1-8+deb10u1	libminizip1_1.1-8+deb10u1_amd64.deb