Your message dated Sat, 09 Dec 2023 10:20:37 +0000 with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 12.3 point release has caused the Debian Bug report #1056737, regarding bookworm-pu: minizip/1.1-8+deb12u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1056737: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056737 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: bookworm-pu: minizip/1.1-8+deb12u1
- From: Thorsten Alteholz <debian@alteholz.de>
- Date: Sat, 25 Nov 2023 18:01:27 +0000 (UTC)
- Message-id: <alpine.DEB.2.21.2311251750110.18161@postfach.intern.alteholz.me>
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian.org@packages.debian.org Usertags: puThe attached debdiff for minizip fixes CVE-2023-45853 in Bookworm. This CVE has been marked as no-dsa by the security team.Chrome upstream added a test for their internal copy of minizip. Running this test against libminizip1 of this package worked as well, so I don't expect any problems.Thorstendiff -Nru minizip-1.1/debian/changelog minizip-1.1/debian/changelog --- minizip-1.1/debian/changelog 2016-01-03 04:24:26.000000000 +0100 +++ minizip-1.1/debian/changelog 2023-11-25 13:03:02.000000000 +0100 @@ -1,3 +1,11 @@ +minizip (1.1-8+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2023-45853 (Closes: #1056719) + Reject overflows of zip header fields in minizip. + + -- Thorsten Alteholz <debian@alteholz.de> Sat, 25 Nov 2023 13:03:02 +0100 + minizip (1.1-8) unstable; urgency=medium * Fix implicit function declaration. diff -Nru minizip-1.1/debian/patches/CVE-2023-45853.patch minizip-1.1/debian/patches/CVE-2023-45853.patch --- minizip-1.1/debian/patches/CVE-2023-45853.patch 1970-01-01 01:00:00.000000000 +0100 +++ minizip-1.1/debian/patches/CVE-2023-45853.patch 2023-11-18 17:51:11.000000000 +0100 @@ -0,0 +1,34 @@ +commit 73331a6a0481067628f065ffe87bb1d8f787d10c +Author: Hans Wennborg <hans@chromium.org> +Date: Fri Aug 18 11:05:33 2023 +0200 + + Reject overflows of zip header fields in minizip. + + This checks the lengths of the file name, extra field, and comment + that would be put in the zip headers, and rejects them if they are + too long. They are each limited to 65535 bytes in length by the zip + format. This also avoids possible buffer overflows if the provided + fields are too long. + +Index: minizip-1.1/zip.c +=================================================================== +--- minizip-1.1.orig/zip.c 2023-11-18 17:51:05.539763813 +0100 ++++ minizip-1.1/zip.c 2023-11-18 17:51:05.539763813 +0100 +@@ -1082,6 +1082,17 @@ + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff -Nru minizip-1.1/debian/patches/series minizip-1.1/debian/patches/series --- minizip-1.1/debian/patches/series 2016-01-03 04:14:08.000000000 +0100 +++ minizip-1.1/debian/patches/series 2023-11-18 17:50:30.000000000 +0100 @@ -1,3 +1,5 @@ include.patch automake.patch traversal.patch + +CVE-2023-45853.patch
--- End Message ---
--- Begin Message ---
- To: 1040860-done@bugs.debian.org, 1050384-done@bugs.debian.org, 1050868-done@bugs.debian.org, 1052227-done@bugs.debian.org, 1052229-done@bugs.debian.org, 1053141-done@bugs.debian.org, 1053461-done@bugs.debian.org, 1053532-done@bugs.debian.org, 1053681-done@bugs.debian.org, 1053895-done@bugs.debian.org, 1053908-done@bugs.debian.org, 1053918-done@bugs.debian.org, 1054096-done@bugs.debian.org, 1054100-done@bugs.debian.org, 1054119-done@bugs.debian.org, 1054122-done@bugs.debian.org, 1054286-done@bugs.debian.org, 1054287-done@bugs.debian.org, 1054340-done@bugs.debian.org, 1054363-done@bugs.debian.org, 1054401-done@bugs.debian.org, 1054421-done@bugs.debian.org, 1054442-done@bugs.debian.org, 1054470-done@bugs.debian.org, 1054589-done@bugs.debian.org, 1055009-done@bugs.debian.org, 1055031-done@bugs.debian.org, 1055086-done@bugs.debian.org, 1055155-done@bugs.debian.org, 1055226-done@bugs.debian.org, 1055229-done@bugs.debian.org, 1055241-done@bugs.debian.org, 1055350-done@bugs.debian.org, 1055419-done@bugs.debian.org, 1055539-done@bugs.debian.org, 1055588-done@bugs.debian.org, 1055611-done@bugs.debian.org, 1055859-done@bugs.debian.org, 1055894-done@bugs.debian.org, 1055944-done@bugs.debian.org, 1055965-done@bugs.debian.org, 1055986-done@bugs.debian.org, 1056006-done@bugs.debian.org, 1056136-done@bugs.debian.org, 1056158-done@bugs.debian.org, 1056164-done@bugs.debian.org, 1056169-done@bugs.debian.org, 1056194-done@bugs.debian.org, 1056228-done@bugs.debian.org, 1056252-done@bugs.debian.org, 1056307-done@bugs.debian.org, 1056318-done@bugs.debian.org, 1056330-done@bugs.debian.org, 1056521-done@bugs.debian.org, 1056696-done@bugs.debian.org, 1056716-done@bugs.debian.org, 1056721-done@bugs.debian.org, 1056732-done@bugs.debian.org, 1056737-done@bugs.debian.org, 1056741-done@bugs.debian.org, 1056744-done@bugs.debian.org, 1056917-done@bugs.debian.org, 1056934-done@bugs.debian.org, 1056958-done@bugs.debian.org, 1056987-done@bugs.debian.org, 1057038-done@bugs.debian.org, 1057069-done@bugs.debian.org, 1057070-done@bugs.debian.org, 1057071-done@bugs.debian.org, 1057099-done@bugs.debian.org, 1057103-done@bugs.debian.org, 1057116-done@bugs.debian.org, 1057125-done@bugs.debian.org, 1057128-done@bugs.debian.org, 1057129-done@bugs.debian.org, 1057156-done@bugs.debian.org, 1057157-done@bugs.debian.org, 1057159-done@bugs.debian.org, 1057236-done@bugs.debian.org, 1057239-done@bugs.debian.org, 1057274-done@bugs.debian.org, 1057300-done@bugs.debian.org, 1057310-done@bugs.debian.org, 1057311-done@bugs.debian.org, 1057325-done@bugs.debian.org, 1057327-done@bugs.debian.org
- Subject: Closing requests for updates included in 12.3 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 09 Dec 2023 10:20:37 +0000
- Message-id: <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 12.3 Hi, Each of the updates discussed in these requests was included in this morning's 12.3 bookworm point release. Regards, Adam
--- End Message ---