-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64 #843
Conversation
…enNewFileInZip4_64 These are stored in 16-bit fields in the zip file format. Passing longer values would generate an invalid file. Passing very long values could also cause the computation of zi->ci.size_centralheader to overflow, which would cause heap buffer overflow on subsequent writes to zi->ci.central_header.
Applied. |
Hi, @madler does this affect the versions prior to 1.3 as well? |
Also the CVE-2023-45853 has been assigned to this bug |
@madler The above mentioned CVE is ranked with high criticality. As the fix already is in delelop branch, could you please provide a new patch release 1.3.1 of this lib? |
@madler: Can you look? |
Upstream PR: madler/zlib#843
For anyone looking for the integrated patch, it's 73331a6. |
Source: poky-nut MR: 127628 Type: Security Fix Disposition: Merged from poky-nut ChangeID: 6e265e44febbb6fdf85c7926b9a64b731c98d814 Description: Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * madler/zlib#843 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> Signed-off-by: Jeremy A. Puhlman <[email protected]>
@rossburton: Yes it is in "develop" branch, not in a stable build. |
Upstream PR: madler/zlib#843 (cherry picked from commit 282d9cd)
Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * madler/zlib#843 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]>
Backport commit merged to develop branch from PR linked in NVD report: * https://nvd.nist.gov/vuln/detail/CVE-2023-45853 * madler/zlib#843 (From OE-Core rev: 6e265e44febbb6fdf85c7926b9a64b731c98d814) Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]>
…extrafields (CVE-2023-45853) Backport of madler/zlib#843
…extrafields (CVE-2023-45853) Backport of madler/zlib#843
Hi, @madler does this affect the versions prior to 1.3 as well for example version 1.2.12? |
I have pipeline that has to use Aqua Scan and I started to get critical vulnerability for version 1:1.2.13.dfsg-1. Here is reference to report: https://security-tracker.debian.org/tracker/CVE-2023-45853. Could you please look at it? |
@madler could you please release a patch ? |
Similar issue, are there any instructions to get this patch while awaiting to be included as part of debian package repository |
Running into same issue with the vulnerability being flagged via a scan. Any updates as to when this fix will be merged into the master branch? |
Running into same issue with the vulnerability being flagged via a scan. Any updates on this stable release? |
By palamida scan, it showed that there are vulnerability on the identical files during this upgrade. |
@madler: VulnerabilityID": "CVE-2023-45853", This is the vulnerability and its occurring in python:3.11.8 image as built on debain 12 image. |
@raghu298 You are still not telling me what "it" is that is saying that. I don't need to know the message. I want to know who the messenger is. What, exactly, is reporting this? Are you running something to tell you this? What do you mean that it is "occurring in python:3.11.8 image"? Are you scanning the Python executable? Are you running Python code? What are you doing to incite the message? |
@madler I have trivy image scan tool which scans the image and shows the vulnerabilities. |
@madler Is there a way to upgrade zlib1g to non-vulnerable version? |
You would have to find a version of the Python 3 executable with a newer zlib, or rebuild one yourself. But you don't have to. Python does not use minizip, so there is no vulnerability. If you have installed the pyminizip package, it may be vulnerable, but your tool is not reporting it there. It is reporting the zlib version being used by the Python executable. In short, you do not have a problem. trivy is wrong. |
@madler i think python image is built on top of debain image so the tool is scanning python image and finding the vulenarability. |
Is there a way to upgrade zlib1g to non-vulnerable version? -- any update on this? |
@Ajith-Reddy1205
|
Thanks for the clarification @madler, |
Same here, debian images (and all images based on debian, including for instance python images) are marked as critically vulnerable by Trivy.
|
Sigh. I tried. It is this page: https://security-tracker.debian.org/tracker/CVE-2023-45853 , that incorrectly marks 1:1.2.13.dfsg-1 as vulnerable, when in fact it has no minizip code in it whatsoever. (I verified that by downloading it and listing the external symbols in the .so file.) I managed to reach someone at debian.org who seems to be in control of that page, but instead of fixing the page, they defended it, even though it's wrong. |
This is really weird. It's really against their interest to have ALL Debian images flagged as critically vulnerable for so long. |
I'm just putting this as a FYI, to try and help people who might land here looking for answers. Mark's probably sick of hearing about this by now. Sorry Mark, I just didn't see anyone post a public discussion of this with the details I was looking for. Maybe at least I gave you some things to link to if it would help?
Unfortunately it looks like Bookworm and all older releases will be flagged by this, and this will only be (coincidentally) fixed by the next major release (Trixie). Debian doesn't have a target date for that release right now, but if they keep up with their usual release schedule, I'd guess that won't be for over a year from now. Here's some other things for further reading, I put more information in them:
I'm not sure if there's a way to modify the code of trivy to handle this case better, but it seems like there's not, because it sounds like "ignored" might be used in the Debian tracker for both "won't fix" and "not affected", and Trivy interprets "ignored" as "this container image is still vulnerable" so that distinction is very important for corporate vulnerability dashboards. I notice that Clair (https://github.com/quay/clair) also seems to have the same problem. It would seem like the Debian tracker is meant for humans to read, not bots, and tools that try and "simplify" things by reducing that to "you have 10 vulnerabilities" have a hard time handling that. I'm not going to bug either trivy or Debian anymore. Summary:
Hope that helps |
Note to Snyk users: you will find this reported as a critical, unfixable vulnerability on your dockers and you will sooner or later end up here. @superlazyname answer applies to us too :) |
Upstream PR: madler/zlib#843
Upstream PR: madler/zlib#843
Upstream PR: madler/zlib#843
In Arch Linux this needs removed of website (https://security.archlinux.org/) and arch-audit... Any chance of fixing this? |
These are stored in 16-bit fields in the zip file format. Passing longer values would generate an invalid file.
Passing very long values could also cause the computation of zi->ci.size_centralheader to overflow, which would cause heap buffer overflow on subsequent writes to zi->ci.central_header.
This was reported to Chromium in https://crbug.com/1470539, and patched in https://crrev.com/1182507 and https://crrev.com/1182669