Please release 1.3.1 to fix CVE-2023-45853 (9.8 CRITICAL) #868
Comments
|
@madler: Can you do it? Thanks in advance. |
* [ASL-4412] Bump asl-pages to version with fixed hint text * [ASL-4412] Bump asl-pages to version with fixed hint text * [ASL-4412] Run `npm audit fix` * [ASL-4412] Allowlist zlib vulnerability until a fix is released madler/zlib#868
|
Any expected timeline for a fix for CVE-2023-45853? |
|
I may put out a release soon, but please note that minizip is not part of zlib. The source code is provided in the contrib directory of the zlib distribution, along with several other such contributions, as a courtesy. This is not a zlib vulnerability. |
Sure, but the problem is, that zlib is bundled with minizip in most of the linux distributions (Ubuntu, Debian ...). So can you please release 1.3.1 with the fix? |
|
@madler: I think that you can create a GitHub organization for zlib, and move contrib in external repository, it will be better to manage :) |
|
In the Debian package, the source code to minizip is bundled as the |
|
For whatever reason we also ship a binary of minizip as a separate package, and there's some other packages have copied the source. |
That's literally what we're doing here. zlib ships a broken minizip. |
Nope, zlib contains a contrib directory.
|
Go to zlib.net, download the first link under "The current release is publicly available here:". This is what zlib SHIPS, this is the deliverable that everybody who downloads zlib gets. This contains the vulnerable code. Therefore it is exactly:
But @orbatec said it best
|
I might be wrong...
Agreed, mark the CVE as invalid, as it should be, done, no release needed. |
|
minizip is not built as part of the default zlib, however as discussed much earlier it is built and shipped as a separate binary package by some distros which means the source package for zlib ends up having an issue even though the binaries with zlib itself are fine. |
Those distros is the ones with problems, not zlib. |
If you go to the page and download the deliverable, you have the vulnerable code. It doesn't matter if you "define" it differently. The fact is, the thing you've downloaded IS zlib for all intents and purposes. If you don't want to be responsible for something, don't deliver it. The CVE is accurate. I'm sorry you don't want to hear this. |
I don't really care about zlib, but I do see CVE system as broken due to abuse. The fact is still that contrib is not something that should be used, and especially not packaged (read distributed in a form meant for installation), without the one doing so taking responsibility. Every instance we see here about zlib being marked as vulnerable in systems not even having minizip is proof of the CVE being invalid. If anyone cared they would mark minizip as vulnerable, not zlib. The broken CVE system needs to be fixed. Not non broken packages. |
|
If the If there are no binary packages named If there are binary packages labelled Lastly, vulnerability scanners should not rely on package installation metadata to determine if a system is vulnerable, but instead on binary signatures, just like malware scanners. |
|
I think this discussion has lost focus... No one says that the maintainer has to release a fix, it just would be very very helpful for a lot of people, despite the fact that it might or might not be a good idea for a packaging systems to compile things from |
|
Out of curiosity, which binary |
|
In unstable the zlib source package in Debian (and derivatives that don't change this) also builds minizip and libminizip binary packages using what's in contrib (minzip does have some direct users). eg, https://packages.debian.org/sid/minizip |
|
So the CVE should be only be attributed, at least with CRITICAL severity, to the libminizip binary package, and maybe with moderate priority to any other packages that include the source. Does the conceptual model underneath CVEs support assigning different severities to individual packages, or package types (source vs binary)? Or could two CVEs have been created, a critical one for |
|
AFAICT (certainly here) they just track the source. |
|
The CVE system itself is not designed to attribute a given vulnerability to a package. Its purpose is only to give a specific publicly known vulnerability a common identifier. Nothing more. CPE is a component of the CVE ecosystem that can be used to enumerate software and configurations that may embody a publicly known vulnerability. There is a CPE for Unfortunately this is an example of the systemic problems we're dealing with when the canonical upstream for a given piece of code is unclear, and information is lost: Debian patched their msw@carbon:~/git/zlib/contrib/minizip$ git rev-parse HEAD
36e369e1a54b35a978dc584496af69a07ec2d71a
msw@carbon:~/git/zlib/contrib/minizip$ ls /tmp/moo
ls: cannot access '/tmp/moo': No such file or directory
msw@carbon:~/git/zlib/contrib/minizip$ ./miniunz ~/Downloads/traversal.zip
MiniUnz 1.1, demo of zLib + Unz package written by Gilles Vollant
more info at http://www.winimage.com/zLibDll/unzip.html
/home/msw/Downloads/traversal.zip opened
extracting: /tmp/moo
msw@carbon:~/git/zlib/contrib/minizip$ ls /tmp/moo
/tmp/mooThe way that CVE and CPE are designed for security and software development practitioners, it would be appropriate to tag the source code distribution of Unfortunately, CVEs have taken a life of their own for software users (consumers), and this introduces downsides in its adoption for software producers. As soon as the Software users have to scurry to apply updates that are effectively no-ops, sometimes under extreme time pressure when the NVD has a 9.8 CVSSv3 score for a given CVE. And when there's no new source code version released that satisfies the CPE pattern matcher (so that the scan report comes back green), end-users come knocking on the door of maintainers that are volunteering their own time to make new releases. In any case, upon discovery of this non-upstream'ed fix in Debian's packaging of How this slipped by "ZipSlip", I have no idea. |
|
Zlib 1.3.1 has been released (2024-01-22): Thanks @madler. |
|
For anyone coming here due to https://security-tracker.debian.org/tracker/CVE-2023-45853 for Debian Bookworm (12) or Bullseye (11) and the You should note this wording in the Debian advisory:
Based on this and the Debian package sources, it appears that there is a Debian-patched version of the sources for minizip in the source archive for the See:
I think scanners are flagging this because of logic like:
It's simplistic, but makes some sense. In this case it's also wrong, there is no problem here. So as far as I can tell, there is no fix for the Debian CVE because no actual vulnerability exists. Nobody's likely to make a backport package to delete the unused sources to silence scanners that aren't smart enough to detect the actual presence of the vulnerability in a shipping binary or container image. Check your $ MY_VERSION=$(awk '/^Version:/ { print $2}' var/lib/dpkg/status.d/zlib1g)
$ echo "${MY_VERSION}"
1:1.2.13.dfsg-1
$ if dpkg --compare-versions "${MY_VERSION:?missing MY_VERSION}" lt 1:1.2.13.dfsg-2; then echo "$MY_VERSION is older than the first vulnerable version"; else echo "$MY_VERSION is potentially vulnerable"; fi
1:1.2.13.dfsg-1 is older than the first vulnerable versionI have raised this to Snyk as case |
|
@ringerc: 1.3.1 version has been released 2024-01-22: |
|
@Neustradamus I know, thanks. I'm trying to help folks who trip over the false positive from Snyk about this on Debian 12. |
|
Just for completeness, many of those broken Scanners would not even Look at the (patches) source, just based on CPE, so deleting it would not help. But it’s strange that (Manila) Snyk does not overwrite the Scan results. They (and Docker Scout) cause quite some extra work formPSIRT to explaining such false detections in vendor Containers. |
and others
@madler
It looks like the fix is already in develop: See #843 and 73331a6
We only new a new release :)
See also: https://nvd.nist.gov/vuln/detail/CVE-2023-45853
The text was updated successfully, but these errors were encountered: