New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in zipOpenNewFileInZip4_64 see CVE-2023-45853 #205

Open

CRaNkXD opened this issue Oct 2, 2024 · 2 comments

CRaNkXD commented Oct 2, 2024

There is a security issue CVE-2023-45853 which was found in minizip.
A long filename, comment or extra field can cause a buffer overflow.
Here is the patch: https://github.com/madler/zlib/pull/843/commits/431e66398552effd82d5c0ea982a521821782ebd#diff-1b810588fb7a7b13dd4b92b803214212dc9e9198b9e246e5e5e59de2a245ff56R1059

Author

CRaNkXD commented Oct 2, 2024

I forgot to follow the security policy ... But I guess this issue is already known for a long time.

Collaborator

cen1 commented Oct 2, 2024

Thank you for bringing this up. There is a task to update minizip but there are quite a lot of changes so it won't land anytime soon.

However, the patch you linked seems to be compatible with the existing code so I think I'll be able to simply pull this in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment