Skip to content

mark zlib as not-affected by CVE-2023-45853, since the built code ends up in the minizip package

On this page: https://security-tracker.debian.org/tracker/CVE-2023-45853 The package zlib is listed as 'vulnerable'

Based on this email: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054290#12 I believe that a more correct status is 'not-affected'.

I also downloaded the binary zlib package and searched for 'zipOpenNewFile*' symbols in order to verify that there are none.

I have not tried to write a PoC exploit to 100% guarantee that it's not affected.

Merge request reports

Loading