Skip to content

fix zlib (unzip) version string #1164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
m-1-k-3 merged 1 commit into from
May 22, 2024
Merged

fix zlib (unzip) version string #1164

m-1-k-3 merged 1 commit into from
May 22, 2024

Conversation

@gluesmith2021
Copy link

@gluesmith2021 gluesmith2021 commented May 22, 2024

  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)**

bug fix

  • What is the current behavior? (You can also link to an open issue here)**

Des not search for CVEs for zlib if it is detected with the unzip version string, because the leading space in the matched string is kept in the name:version replacement string.

In s09_firmware_base_version_check.txt

[+] Version information found  unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll in binary logs/firmware/patool_extraction/disk3/opt/navi/EBNavi/libBusinessLogic.so (-rwxrwxr-x root root) (license: Zlib) (static).
[+] Version information found  unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll in binary logs/firmware/patool_extraction/disk3/opt/navi/asia_navi/apnnavc (-rwxrwxr-x root root) (license: Zlib) (static).

In f20_vul_aggregator.txt

[�[0;31m-�[0m] WARNING: Broken version identifier found: �[0;33m zlib:1.0.1�[0m

Then F20 does not proceed any further.

  • What is the new behavior (if this is a feature change)? If possible add a screenshot.

Now with the extra leading space removed, it correctly identifies zlib and finds CVEs:

[*] Vulnerability details for zlib / version 1.0.1 / source STAT:

	BIN NAME            :   BIN VERS    :   CVE ID            :  CVSS VALUE : EPSS :   SOURCE         :   EXPLOIT
	zlib                :   1.0.1       :  	CVE-2018-25032    :   7.5       :  NA  :   STAT           :   No exploit available
	zlib                :   1.0.1       :  	CVE-2002-0059     :   9.8       :  NA  :   STAT           :   No exploit available
	zlib                :   1.0.1       :  	CVE-2022-37434    :   9.8       :  NA  :   STAT           :   No exploit available
	zlib                :   1.0.1       :  	CVE-2023-6992     :   5.5       :  NA  :   STAT           :   No exploit available
	zlib                :   1.0.1       :  	CVE-2023-45853    :   9.8       :  NA  :   STAT           :   No exploit available

[+] Found 5 CVEs and 0 exploits (including POC's) in zlib with version 1.0.1 (source STAT).
  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)**

No

  • Other information:

@m-1-k-3 m-1-k-3 merged commit e661ffd into e-m-b-a:master May 22, 2024
@gluesmith2021 gluesmith2021 deleted the fix_zlib_version_string branch May 22, 2024 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m-1-k-3 m-1-k-3 m-1-k-3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gluesmith2021 @m-1-k-3