Please correct or address CVE-2023-45853 for minizip / zlib

To: debian-security-tracker@lists.debian.org
Subject: Please correct or address CVE-2023-45853 for minizip / zlib
From: Mike Brancato <mbrancato@appomni.com>
Date: Fri, 25 Oct 2024 08:42:28 -0400
Message-id: <[🔎] 052FAE92-5901-4BF7-8B48-C49BB7F29DB5@appomni.com>

Hello,

Several security databases flag Debian Bookworm and Bullseye as vulnerable to a critical severity vulnerability in minizip as part of zlib. In the tracker for CVE-2023-45853, the notes seem to already capture that they are not vulnerable. But the table and the reported data shows vulnerable.

The author has clarified multiple times that zlib is not vulnerable for these, and has stated there is no minizip code in these packages. The author also appears to have reached out to the Debian security team, and was rejected? Other distributions do not mark this code as vulnerable.

If this *is* vulnerable, can the fix just be back ported to the version used in Bullseye and Bookworm?

https://security-tracker.debian.org/tracker/CVE-2023-45853

https://github.com/madler/zlib/pull/843#issuecomment-1987681984
https://github.com/madler/zlib/pull/843#issuecomment-2010683088
https://github.com/madler/zlib/pull/843#issuecomment-2050417533

Thanks,
Mike

Reply to:

Follow-Ups:
- Re: Please correct or address CVE-2023-45853 for minizip / zlib
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: External check
Next by Date: External check
Previous by thread: External check
Next by thread: Re: Please correct or address CVE-2023-45853 for minizip / zlib
Index(es):
- Date
- Thread