Is CVE-2023-45853 causing issues?
admivsn opened this issue · comments
Seems like Snyk is throwing up some errors, is anyone else suffering from the same issue?
Critical severity vulnerability found in zlib/zlib1g
Description: Integer Overflow or Wraparound
Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
Introduced through: zlib/zlib1g@1:1.2.13.dfsg-1, zlib/zlib1g-dev@1:1.2.13.dfsg-1
From: zlib/zlib1g@1:1.2.13.dfsg-1
From: zlib/zlib1g-dev@1:1.2.13.dfsg-1
Image layer: Introduced by your base image (python:3.10)
Is anyone else suffering from the same issue?
madler/zlib#868
https://snyk.io/test/docker/python%3A3.10
https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
There is no upstream fix from Debian maintainers: https://security-tracker.debian.org/tracker/CVE-2023-45853
@admivsn Do you know if there is python docker image that does not have this security issue?
any fixes planned for this ?
any fixes planned for this ?
There are no fixes in Debian packages (where the zlib
library comes from): https://security-tracker.debian.org/tracker/CVE-2023-45853; so, there is nothing we can do in the image to change it.
The vuln is technically in just minizip
, a separate part of the zlib
source and not included in the zlib1g
or zlib1g-dev
packages:
- https://packages.debian.org/bookworm/amd64/zlib1g/filelist
- https://packages.debian.org/bookworm/amd64/zlib1g-dev/filelist
Hopefully the Debian Security tracker (https://security-tracker.debian.org/tracker/CVE-2023-45853) will be updated to reflect the fact that it doesn't seem to apply to buster, bullseye, or bookworm (like Ubuntu's tracker does).