[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please correct or address CVE-2023-45853 for minizip / zlib

Hi Salvatore,

I see in the latest secdb provided by Debian marks these are vulnerable, but ignored. Can Debian update documentation to make clear that open + ignored is a form of not-vulnerable? In my understanding, the term ignored does not imply that the vulnerability was not valid / did not apply.

Pulled from here:
https://security-tracker.debian.org/tracker/data/json

The data shows this as an open, unresolved vulnerability in Bookworm and Bullseye for zip.
e.g. cat debian-security-tracker.json| jq '.zlib."CVE-2023-45853"'


  "releases": {

    "bookworm": {

      "status": "open",

      "repositories": {

        "bookworm": "1:1.2.13.dfsg-1"

      },

      "urgency": "not yet assigned",

      "nodsa": "contrib/minizip not built and src:zlib not producing binary packages",

      "nodsa_reason": "ignored"

    },

    "bullseye": {

      "status": "open",

      "repositories": {

        "bullseye": "1:1.2.11.dfsg-2+deb11u2",

        "bullseye-security": "1:1.2.11.dfsg-2+deb11u2"

      },

      "urgency": "not yet assigned",

      "nodsa": "contrib/minizip not built and src:zlib not producing binary packages",

      "nodsa_reason": "ignored"

    },


I can always ask our vendors to re-examine, but it would be helpful if this was explicitly called out that it is ignored because it is not vulnerable as the package currently stands.


On Oct 27, 2024, at 2:13 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:

Hi Mike,

On Fri, Oct 25, 2024 at 08:42:28AM -0400, Mike Brancato wrote:
Hello,

Several security databases flag Debian Bookworm and Bullseye as vulnerable to a critical severity vulnerability in minizip as part of zlib. In the tracker for CVE-2023-45853, the notes seem to already capture that they are not vulnerable. But the table and the reported data shows vulnerable.

The author has clarified multiple times that zlib is not vulnerable for these, and has stated there is no minizip code in these packages. The author also appears to have reached out to the Debian security team, and was rejected? Other distributions do not mark this code as vulnerable.

If this *is* vulnerable, can the fix just be back ported to the version used in Bullseye and Bookworm?

https://security-tracker.debian.org/tracker/CVE-2023-45853

https://github.com/madler/zlib/pull/843#issuecomment-1987681984
https://github.com/madler/zlib/pull/843#issuecomment-2010683088
https://github.com/madler/zlib/pull/843#issuecomment-2050417533

The tracking here is already correct. The shipped source is affected
but the security impact is not present, as binaries are not built.
this is already sufficiently reflected with the ignored note. 

Security-scanner often ignore this assessment, this might be why you
are asking? In such case ask your vendor of your security scanner to
include assessment of the <ignored> (explanation) tag.

Thanks already,
Regards,
Salvatore

Reply to: