Conversation

Notices

1. Embed this notice
   Josh Bressers (joshbressers@infosec.exchange)'s status on Wednesday, 22-Nov-2023 20:30:14 JST Josh Bressers

   A lot of folks are going to have a bad time with this

   https://nvd.nist.gov/vuln/detail/CVE-2023-45853

   It’s a critical #CVE in zlib

   Except it’s not critical

   And doesn’t affect zlib

   The whole CVE system is too broken to fix

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-Nov-2023 20:30:13 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @joshbressers Except the actual true upstream of minizip is zlib.
     
     Source? Minizip's homepage. https://www.winimage.com/zLibDll/minizip.html
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Wednesday, 22-Nov-2023 20:54:35 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Erin 💽

     @erincandescent @joshbressers Meaning it's also in zlib tarballs and virtually all zlib distro packages (due to software depending on minizip), but it's just not in libz.so.

   • Embed this notice
     Erin 💽 (erincandescent@queer.af)'s status on Wednesday, 22-Nov-2023 20:54:37 JST Erin 💽

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan @joshbressers it's in the zlib repo but not zlib the library

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 23-Nov-2023 00:19:58 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Erin 💽
     @joshbressers @erincandescent I have 0 interests in things like policies, only horses I care about in the race are distros, which are just going to patch a finite amount of packages and be done with it.
     
     As for distros I know have zlib package with minizip included: Gentoo (with USE=minizip), Alpine (one recipe/tarball + split minizip-* binary packages).
     (It's likely all distros)
     
     btw if you're wondering about software depending on zlib's minizip, see the "Required by" panel at https://pkgs.alpinelinux.org/package/edge/community/x86/minizip
   • Embed this notice
     Josh Bressers (joshbressers@infosec.exchange)'s status on Thursday, 23-Nov-2023 00:20:00 JST Josh Bressers

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • Erin 💽

     @lanodan @erincandescent

     I've yet to find minizip in any zlib packages (I'm trying to find it)

     But even if it was there, you can make the argue this affects zlib, which is technically correct

     But zlib is special, it's in literally every computing device on the planet

     This is going to waste literally millions of dollars with people either patching to get rid of the vulnerability absolutists, or justifying why it's not a problem over and over again

     Rigidly following rules and policy without exception either means your policy is terrible, or you don't understand what's going on (or both)

     Additionally, this shouldn't have a critical severity. So even if your broken policy makes you keep the data in the system, at least mark the severity appropriately

   • Embed this notice
     broonie (broonie@mastodon.social)'s status on Thursday, 23-Nov-2023 16:22:32 JST broonie

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • Erin 💽

     @joshbressers @lanodan @erincandescent We package it in Debian and hence derivatives - it’s not in the zlib binary package but it is shipped as separate binary packages that do have a userbase.

     Haelwenn /элвэн/ :triskell: likes this.