Re: Please correct or address CVE-2023-45853 for minizip / zlib
Hi Mike,
On Fri, Oct 25, 2024 at 08:42:28AM -0400, Mike Brancato wrote:
> Hello,
>
> Several security databases flag Debian Bookworm and Bullseye as vulnerable to a critical severity vulnerability in minizip as part of zlib. In the tracker for CVE-2023-45853, the notes seem to already capture that they are not vulnerable. But the table and the reported data shows vulnerable.
>
> The author has clarified multiple times that zlib is not vulnerable for these, and has stated there is no minizip code in these packages. The author also appears to have reached out to the Debian security team, and was rejected? Other distributions do not mark this code as vulnerable.
>
> If this *is* vulnerable, can the fix just be back ported to the version used in Bullseye and Bookworm?
>
> https://security-tracker.debian.org/tracker/CVE-2023-45853
>
> https://github.com/madler/zlib/pull/843#issuecomment-1987681984
> https://github.com/madler/zlib/pull/843#issuecomment-2010683088
> https://github.com/madler/zlib/pull/843#issuecomment-2050417533
The tracking here is already correct. The shipped source is affected
but the security impact is not present, as binaries are not built.
this is already sufficiently reflected with the ignored note.
Security-scanner often ignore this assessment, this might be why you
are asking? In such case ask your vendor of your security scanner to
include assessment of the <ignored> (explanation) tag.
Thanks already,
Regards,
Salvatore
Reply to: