Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu
The attached debdiff for minizip fixes CVE-2023-45853 in Bookworm. This CVE has been marked as no-dsa by the security team.
Chrome upstream added a test for their internal copy of minizip. Running this test against libminizip1 of this package worked as well, so I don't expect any problems.
Thorsten
diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog 2016-01-03 04:24:26.000000000 +0100 +++ minizip-1.1/debian/changelog 2023-11-25 13:03:02.000000000 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) + Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz <deb...@alteholz.de> Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.000000000 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:51:11.000000000 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg <h...@chromium.org> +Date: Fri Aug 18 11:05:33 2023 +0200 + + Reject overflows of zip header fields in minizip. + + This checks the lengths of the file name, extra field, and comment + that would be put in the zip headers, and rejects them if they are + too long. They are each limited to 65535 bytes in length by the zip + format. This also avoids possible buffer overflows if the provided + fields are too long. + +Index: minizip-1.1/zip.c +=================================================================== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 ++++ minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.000000000 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:50:30.000000000 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
