[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE (Critical + High) in bookworm image

On Wed 22 Nov 2023 at 15:27:06 (-0500), Greg Wooledge wrote:
> On Wed, Nov 22, 2023 at 01:34:49PM -0600, David Wright wrote:
> > AFAICT zipOpenNewFileInZip4_64 is only contained in
> > /usr/lib/x86_64-linux-gnu/libminizip.so.1.0.0 which is from package
> > libminizip1_1~b1_amd64.deb.
> > 
> > In Debian, it would appear that minizip was split off from zlib1g
> > a decade ago.
> > 
> > zlib (1:1.2.8.dfsg-2) unstable; urgency=low
> >   
> >   * Drop zlib-bin package as minizip has now been packaged separately,
> >     delay due to lack of notice regarding upload (closes: #753070).
> > 
> >  -- Mark Brown <broonie@debian.org>  Sat, 16 Aug 2014 15:12:11 +0100
> 
> unicorn:~$ apt-cache show zlib1g
> [...]
> Source: zlib
> [...]
> Homepage: http://zlib.net/
> 
> unicorn:~$ apt-cache show libminizip1
> [...]
> Source: minizip (1.1-8)
> [...]
> Homepage: http://www.winimage.com/zLibDll/minizip.html
> 
> 
> Looks like Debian's minizip (including libminizip1) was sourced from a
> separate location, rather than being split apart from zlib.

I think that link gives a misleading impression. Before minizip,
the functionality was in zlib-bin, and the library was (using as
an example zlib-bin-1.2.3.4-minizip, from 2009):

  $ strings /tmp/zlib-bin-1.2.3.4-minizip | grep -i zlib
  MiniZip 1.01b, demo of zLib + Zip package written by Gilles Vollant
  more info at http://www.winimage.com/zLibDll/unzip.html
   zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
  $ 

I think it's all the same old code; this is the latest canonical
source of zlib (1495873 Aug 18 05:08 zlib.tar.gz, which I unpacked
in /tmp) with the same link:

  $ head -n 5 /tmp/zlib-1.3/contrib/minizip/zip.c 
  /* zip.c -- IO on .zip files using zlib
     Version 1.1, February 14h, 2010
     part of the MiniZip project - ( http://www.winimage.com/zLibDll/minizip.html )

           Copyright (C) 1998-2010 Gilles Vollant (minizip) ( http://www.winimage.com/zLibDll/minizip.html )
  $ 

> On the other hand, I cannot find zipOpen in
> /lib/x86_64-linux-gnu/libz.so.1.2.13 either (I used nm -D ... | less),
> so perhaps the minizip portion of zlib is not included during the build.
> If that's true, then the package should be marked as "not vulnerable".

… and libminizip1 should be the one marked:

  $ grep -r zipOpenNewFileInZip4_64 /tmp/zlib-1.3/
  /tmp/zlib-1.3/contrib/minizip/zip.c:extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, const zip_fileinfo* zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.c:    return zipOpenNewFileInZip4_64(file, filename, zipfi,
  /tmp/zlib-1.3/contrib/minizip/zip.h:extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file,
  /tmp/zlib-1.3/contrib/vstudio/vc10/zlibvc.def:        zipOpenNewFileInZip4_64                 @135
  /tmp/zlib-1.3/contrib/vstudio/vc14/zlibvc.def:        zipOpenNewFileInZip4_64                 @135
  /tmp/zlib-1.3/contrib/vstudio/vc11/zlibvc.def:        zipOpenNewFileInZip4_64                 @135
  /tmp/zlib-1.3/contrib/vstudio/vc9/zlibvc.def:        zipOpenNewFileInZip4_64                 @135
  /tmp/zlib-1.3/contrib/vstudio/vc12/zlibvc.def:        zipOpenNewFileInZip4_64                 @135
  $ 

Cheers,
David.
Reply to: