Is CVE-2023-45853 causing issues?

Question

Is CVE-2023-45853 causing issues?

admivsn opened this issue 8 months ago · comments

Seems like Snyk is throwing up some errors, is anyone else suffering from the same issue?

  Critical severity vulnerability found in zlib/zlib1g
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
  Introduced through: zlib/zlib1g@1:1.2.13.dfsg-1, zlib/zlib1g-dev@1:1.2.13.dfsg-1
  From: zlib/zlib1g@1:1.2.13.dfsg-1
  From: zlib/zlib1g-dev@1:1.2.13.dfsg-1
  Image layer: Introduced by your base image (python:3.10)

Is anyone else suffering from the same issue?

madler/zlib#868
https://snyk.io/test/docker/python%3A3.10
https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963

Adam Dobrawy · Answer 1 · Wed Oct 25 2023 22:06:00 GMT+0800 (China Standard Time)

There is no upstream fix from Debian maintainers: https://security-tracker.debian.org/tracker/CVE-2023-45853

jdhao · Answer 2 · Wed Nov 08 2023 21:18:29 GMT+0800 (China Standard Time)

@admivsn Do you know if there is python docker image that does not have this security issue?

Ezzeldin Tahoun · Answer 3 · Thu Nov 09 2023 04:11:50 GMT+0800 (China Standard Time)

any fixes planned for this ?

yosifkit · Answer 4 · Thu Nov 09 2023 06:31:25 GMT+0800 (China Standard Time)

any fixes planned for this ?

There are no fixes in Debian packages (where the zlib library comes from): https://security-tracker.debian.org/tracker/CVE-2023-45853; so, there is nothing we can do in the image to change it.

The vuln is technically in just minizip, a separate part of the zlib source and not included in the zlib1g or zlib1g-dev packages:

Hopefully the Debian Security tracker (https://security-tracker.debian.org/tracker/CVE-2023-45853) will be updated to reflect the fact that it doesn't seem to apply to buster, bullseye, or bookworm (like Ubuntu's tracker does).