SNYK: Integer Overflow or Wraparound

[github-actions]

Description\n## NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

Remediation

There is no fixed version for Debian:10 zlib.

References

• https://security-tracker.debian.org/tracker/CVE-2023-45853
• https://chromium.googlesource.com/chromium/src/+/d709fb23806858847131027da95ef4c548813356
• https://chromium.googlesource.com/chromium/src/+/de29dd6c7151d3cd37cb4cf0036800ddfb1d8b61
• https://github.com/madler/zlib/blob/ac8f12c97d1afd9bafa9c710f827d40a407d3266/contrib/README.contrib#L1-L4
• minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64 madler/zlib#843
• https://www.winimage.com/zLibDll/minizip.html
• http://www.openwall.com/lists/oss-security/2023/10/20/9
• https://lists.debian.org/debian-lts-announce/2023/11/msg00026.html
• https://security.netapp.com/advisory/ntap-20231130-0009/
• https://pypi.org/project/pyminizip/#history
• https://security.gentoo.org/glsa/202401-18
• http://www.openwall.com/lists/oss-security/2024/01/24/10\n\n## Info\nnull\n\n## Severity\ncritical\n\n## Introduced through\n\n\n## Remediation\nnull