Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-45853 (zlib) found on main #161

Closed
github-actions bot opened this issue Oct 20, 2023 · 4 comments
Closed

CVE-2023-45853 (zlib) found on main #161

github-actions bot opened this issue Oct 20, 2023 · 4 comments

Comments

@github-actions
Copy link

A new vulnerability for zlib 1.2.13.1-motley was found:
Vulnerability ID: CVE-2023-45853
Vulnerability URL: https://nvd.nist.gov/vuln/detail/CVE-2023-45853
Failed run: https://github.com/nodejs/nodejs-dependency-vuln-assessments/actions/runs/6581614069

@github-actions github-actions bot added the main label Oct 20, 2023
@Neustradamus
Copy link

@richardlau
Copy link
Member

I'm fairly certain that Node.js is not using/exposing minizip -- there are no references to minizip in deps/zlib/zlib.gyp. We don't provide zip support in Node.js (although it has been requested (nodejs/node#45434)).

In any case we're using the chromium fork of zlib, updated weekly (every Sunday with commits that were made up to the prior Friday): tools/dep_updaters/update-zlib.sh

@Neustradamus
Copy link

@richardlau: Can you look for zlib 1.3.0 (2023-08-18):

@richardlau
Copy link
Member

@richardlau: Can you look for zlib 1.3.0 (2023-08-18):

* https://github.com/madler/zlib/releases

🤷. Node.js has two copies of the chromium fork of zlib (see nodejs/node#33848 and nodejs/node#47493). Porting patches across from non-forked zlib is going to be problematic as we have weekly automation running, that syncs from the chromium zlib fork every week, which would overwrite any patches we make.

Node.js used to use zlib from https://github.com/madler/zlib/ but it was switched out for the chromium fork for performance reasons: nodejs/node#31201

You can see the current chromium fork of zlib: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/third_party/zlib/
We don't control that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants