On Wed, Nov 22, 2023 at 10:39:56PM +0530, thomas wrote: > is there any way we could get > a fix in bookworm release or is there any other suggestion.
Whenever the security team releases a fix. > CVE-2023-45853 https://security-tracker.debian.org/tracker/CVE-2023-45853 "MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product." > JFrog Severity -High I don't know how that severity level was determined. A buffer overflow in an unsupported part of the library doesn't sound "High" severity to me, but hey, what do I know. > Summary > > A heap buffer overflow in zlib may lead to remote code execution when > parsing a malicious archive. Here's what I don't immediately understand: what actually triggers the bug? Does it require some explicit request to access the MiniZip functionality, or does it just automatically get called if the input archive is compressed with it? In other words, if you've got a malicious input file, will something like "zcat mailicious.minizip" trigger it, or do you have to pass a "--minizip" flag or something? If it's the former, then maybe the "High" severity is justified. > CVE-2023-31484 > Missing TLS check in CPAN.pm allows man-in-the-middle attacks when > downloading packages and may lead to code execution. That sounds pretty avoidable. Just don't do that. Do you actually use CPAN to download and compile perl modules on this system? If not, then this bug can't possibly affect you. In order to trigger this, not only would you have to be using CPAN in that way on your system, but the attacker would *also* have to compromise either the CPAN file servers, or some part of your TCP/IP connection to them.