Q: Are there any plans to fix CVE-2023-39136 (DoS attacks) vulnerability for releases before 2.5.0 version?

[anton-patrushev]

Actual behavior

The 2.2.3 package is vulnerable to CVE-2023-39136 vulnerability. All packages before 2.5.4 are vulnerable to this issue.

Expected behavior

Packages with no requirements to have iOS 15+ as the minimal iOS version have a fix for CVE-2023-39136 vulnerability.

Version of ZipArchive

Lower than 2.5.0

Environmental information

The minimal iOS version is 12.4

[jhudsonWA]

No. As stated on the main page of this project.

A key dependency of this project is the zlib library. zlib before version 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches according to CVE-2018-25032.

zlib 1.2.12 is included in macOS 10.15+ (with latest security patches), iOS 15.5+, tvOS 15.4+, watchOS 8.4+. As such, these OS versions will be the new minimums as of version 2.5.0 of ZipArchive.

If you are using an older version ZipArchive you are on your own for choosing to use a version of this package on os versions that are vulnerable.