Is CVE-2023-45853 causing issues?

[admivsn]

Seems like Snyk is throwing up some errors, is anyone else suffering from the same issue?

  Critical severity vulnerability found in zlib/zlib1g
  Description: Integer Overflow or Wraparound
  Info: https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
  Introduced through: zlib/zlib1g@1:1.2.13.dfsg-1, zlib/zlib1g-dev@1:1.2.13.dfsg-1
  From: zlib/zlib1g@1:1.2.13.dfsg-1
  From: zlib/zlib1g-dev@1:1.2.13.dfsg-1
  Image layer: Introduced by your base image (python:3.10)

Is anyone else suffering from the same issue?

https://github.com/madler/zlib/issues/868 https://snyk.io/test/docker/python%3A3.10 https://security.snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963

[ad-m-ss]

There is no upstream fix from Debian maintainers: https://security-tracker.debian.org/tracker/CVE-2023-45853

[jdhao]

@admivsn Do you know if there is python docker image that does not have this security issue?

[ezzeldinadel]

any fixes planned for this ?

[yosifkit]

any fixes planned for this ?

There are no fixes in Debian packages (where the zlib library comes from): https://security-tracker.debian.org/tracker/CVE-2023-45853; so, there is nothing we can do in the image to change it.

---

The vuln is technically in just minizip, a separate part of the zlib source and not included in the zlib1g or zlib1g-dev packages:

• https://packages.debian.org/bookworm/amd64/zlib1g/filelist
• https://packages.debian.org/bookworm/amd64/zlib1g-dev/filelist

Hopefully the Debian Security tracker (https://security-tracker.debian.org/tracker/CVE-2023-45853) will be updated to reflect the fact that it doesn't seem to apply to buster, bullseye, or bookworm (like Ubuntu's tracker does).