Headline
CVE-2023-45853: Minizip: Zip and UnZip additionnal library
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.
Note (2022) : minizip source are avaiable on the contrib/zlib github page. There is also minizip-ng, a rewritten library with more feature (like zlib-ng, a reworked and faster zlib)
. You’ll also find SmartVersion with source code.
Click to download Minizip (zip/unzip) package for zLib version 1.01h, with minor bugfixes, or, better, 1.1 (with zip64 support).
This package enables to extract files from a .zip archive file. It is compatible with PKZip 2.04g, WinZip, InfoZip, MimarSinan Codex Suite 2002 tools, and compatible sofware.
It runs both under Linux and Windows, and probably other systems too. Encryption, multi-volume Zip files (span), and old compression methods used by old PKZip 1.x are not supported.
See appnote-011203-iz.zip or appnote-iz-latest.zip for the specification of ZIP format (or appnote-981119-iz.zip for older versions). Pkware provides also probdesc.zip and an HTML page with the specification.
What is Minizip (Zip/Unzip)?
The Zlib library allows to deflate compressed files and to create gzip (.gz) files. Zlib is free software and small.
An archive in ZIP format can contain several files compressed with this method, while a .gz archive can containt only one file. It is a very popular format, that is why I have written a package for reading files compressed within a Zip archive.
How to get the Minizip package
You need the source code of Zlib (zlib125.zip or zlib-1.2.5.tar.gz. For previous version, get zlib114.zip, or by FTP zlib114.zip).
Now, with version 1.23,1.24,1.25 and 1.14 of zLib, the Minizip library is inlucded in the contrib/minizip directory.
In zlib125dll.zip there is the Win32 Windows DLL of my Windows DLL named Zlibwapi.dll that contains both zLib and Minilib.
For previous version, in zlib114dll.zip you will find Windows DLL (Win16 and Win32) and static library (Win32) of Zlib 1.14 WITH zip/unzip package.
Please note I have added in buildzlib114dll.zip the version of zip.c/unzip.c (0.21).
You must read zip.h and unzip.h, which contains the documentation of the zip and unzip functions.
March 2003: you can get version 0.21 with support of custom I/O functions to read and write zip files, and raw I/O (in order to duplicate files from one zip archive to another without uncompressing nor compressing). There is also a modified version of unzip with uncrypting, written by Terry Thorsen).
You can also get version 0.22e with crypting/uncrypting (do a #define NOCRYPT if you don’t need it) and adding a file to an existing Zip archive.
15 March 2010: You can now download version 1.01h, with minor bugfixes, or, better, 1.1 with zip64 support.
Justin Fletcher wrote a very simple implementation of a memory access method for the ioapi code (ioapi_mem_c.zip). Ivan A. Krestinin wrote a small example of how delete a file from zip archive. This example is not fully tested (memory leaks are possible if the source archive is corrupt), but it might help you.
Unzipping files
The source code is made of only two files: unzip.h and unzip.c (plus ioapi.c and a few other include files). It uses the Zlib library.
miniunz.c is a very simple, but real unzip program. It can display files contained in a Zip archive or extract them.
Zipping files
The source code is made of only two files: zip.h and zip.c (plus ioapi.c and a few other include files). It uses the Zlib library.
minizip.c is a very simple, but real zip program.
A C++ Wrapper
Daniel Godson made a C++ wrapper to the zip/unzip library. Another can be found at Troels page.
A full MFC sample
In the CodeGuru developers site, there is an excellent example, ‘Implementing a “Send as ZIP-File” command in Scribble’ written by Stefan Kuhr. Unfortunately, this example is not built with the good, standard zLib DLL (see the DLL page). Download mapizip_demo_gooddll.zip for a fixed project which uses the good DLL.
Extension to Minizip
Troels K. worked hard on the Minizip library. He has made several add-on, including a proposal for unzAttach/unzDetach.
Other examples
Jukka Pihl wrote mod_ziplook Apache module. It enables to view zip archive files directly in Apache without extracting them to the filesystem. It also uses HTTP compression (supported by W3C, like Microsoft IIS, Apache mod_deflate and examples in python and jython. Bashuman Deb wrote a FTP paging Support for miniunz.
Miscellaneous
The Gilles vollant software forum contain a section about Minizip.
Please also email me for feedback.
Future of ZIP file format
It seems that the ZIP file format will changes. The web sites PCWorld (and this new article), IDG, SlashDot contain information about ZIP’s future. PkWare site contains a new specification, InfoZip has also a ZIP specification. WinZip specifies also new encryption. The PKWare specification mentions a new BZip2 compression method (there is a “zlib-like” library for BZip2 compression).
Latest revision : 2010-03-15
Related news
Ubuntu Security Notice 7107-1 - It was discovered that Minizip in zlib incorrectly handled certain zip header fields. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code.
Gentoo Linux Security Advisory 202401-18 - A vulnerability has been found in zlib that can lead to a heap-based buffer overflow. Versions greater than or equal to 1.2.13-r2 are affected.
Red Hat Security Advisory 2023-7626-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available. Issues addressed include buffer overflow, denial of service, information leakage, and integer overflow vulnerabilities.
Under certain conditions, a low privileged attacker could load a specially crafted file during installation or upgrade to escalate privileges on Windows and Linux hosts.