Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for minizip fixes CVE-2023-45853 in Bullseye. This
CVE has been marked as no-dsa by the security team.
As this is the same version as in Bookworm, I don't expect any problems in
Bullseye as well.
Thorsten
diff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog
--- minizip-1.1/debian/changelog 2016-01-03 04:24:26.000000000 +0100
+++ minizip-1.1/debian/changelog 2023-11-25 13:03:02.000000000 +0100
@@ -1,3 +1,11 @@
+minizip (1.1-8+deb11u1) bullseye; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-45853 (Closes: #1056719)
+ Reject overflows of zip header fields in minizip.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sat, 25 Nov 2023 13:03:02 +0100
+
minizip (1.1-8) unstable; urgency=medium
* Fix implicit function declaration.
diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch
minizip-1.1/debian/patches/CVE-2023-45853.patch
--- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01
01:00:00.000000000 +0100
+++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18
17:54:41.000000000 +0100
@@ -0,0 +1,34 @@
+commit 73331a6a0481067628f065ffe87bb1d8f787d10c
+Author: Hans Wennborg <h...@chromium.org>
+Date: Fri Aug 18 11:05:33 2023 +0200
+
+ Reject overflows of zip header fields in minizip.
+
+ This checks the lengths of the file name, extra field, and comment
+ that would be put in the zip headers, and rejects them if they are
+ too long. They are each limited to 65535 bytes in length by the zip
+ format. This also avoids possible buffer overflows if the provided
+ fields are too long.
+
+Index: minizip-1.1/zip.c
+===================================================================
+--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100
++++ minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100
+@@ -1082,6 +1082,17 @@
+ return ZIP_PARAMERROR;
+ #endif
+
++ // The filename and comment length must fit in 16 bits.
++ if ((filename!=NULL) && (strlen(filename)>0xffff))
++ return ZIP_PARAMERROR;
++ if ((comment!=NULL) && (strlen(comment)>0xffff))
++ return ZIP_PARAMERROR;
++ // The extra field length must fit in 16 bits. If the member also requires
++ // a Zip64 extra block, that will also need to fit within that 16-bit
++ // length, but that will be checked for later.
++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
++ return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+
+ if (zi->in_opened_file_inzip == 1)
diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series
--- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.000000000 +0100
+++ minizip-1.1/debian/patches/series 2023-11-18 17:54:50.000000000 +0100
@@ -1,3 +1,5 @@
include.patch
automake.patch
traversal.patch
+
+CVE-2023-45853.patch
