Update to zlib 1.3 + CVE fix in more...

[Neustradamus]

Dear @smihica,

Can you update the code?

There is a zlib 1.3 and a CVE fix in more (you can use current git devel branch):

• GHSA-mq29-j5xf-cjwr
• Please release 1.3.1 to fix CVE-2023-45853 (9.8 CRITICAL) madler/zlib#868
• minizip: Check length of comment, filename, and extra field, in zipOpenNewFileInZip4_64 madler/zlib#843
• madler/zlib@73331a6

Note that there are other CVE fixes in previous builds too.

Example:

• @agabarre97: zlib vulnerability #42
• @okuuva: chore(zlib): update zlib to 1.2.12 #43
• @SCH227: Security Address #51

Thanks in advance.

[JudahSchwartz]

@smihica any update here?

[Neustradamus]

Zlib 1.3.1 has been released (2024-01-22) with 2 CVE fixes for Minizip:

• https://github.com/madler/zlib/releases/tag/v1.3.1
• https://zlib.net/

[asaf400]

From what I've seen, Debian 12 still hasn't created a new deb release with the fixes
just for anyone who's looking for a fix with bookworm at this time: https://security-tracker.debian.org/tracker/CVE-2023-45853