Re: Support for Zlib 1.3 for InstallShield 2022 R2 version

kingraj · ‎Nov 28, 2023

Hi Team,

Any plans to release a hotfix for InstallShield 2022 R2 version to support Zlib 1.3.

shunt · ‎Nov 28, 2023

Hi - We have plans to include zlib 1.3 with Installshield 2023 R2.

I hope this helps.

kingraj · ‎Jan 28, 2024

Hi

we have got one critical vulnerability in our application for Zlib(CVE-2023-45853). To fix that we needed hotfix or patch for InstallShield 2022 R2 version.

shunt · ‎Jan 30, 2024

The CVE-2023-45853 vulnerability specifically targets minizips use of Long Filename, comment or extra field.
Installshield does not use comment and extra field and also does not have scenarios that leads to a long filenames.

Therefore the vulnerability reported in CVE-2023-45853 does not directly affect Installshield 2022R2

If you have been alerted to this through vulnerability scanning software and it is important for you to remove this from the scan report of the installer, then please upgrade to Installshield 2023 R2. This version of Installshield uses the later zlib 1.3 version.

kingraj · ‎Feb 07, 2024

Thanks Shunt for the reply,

we have upgraded to 2023 R2 version, but the zlib version is showing 1.3 is that correct.

if so, we wanted an zlib 1.3.1 version. any plans for this upgrade.

In 2023 R2 release notes, Zlib version is mentioned as 1.3.0.1 this is same as 1.3 or 1.3.1

please clarify on this.

Revenera_Ian · ‎Feb 12, 2024

Hi @kingraj,

Thank you for your post.

Could you please clarify the business justification for needing zlib 1.3.1 to be included with InstallShield 2023 R2? My understanding is that the vulnerability that you mentioned, CVE-2023-45853, is resolved by zlib 1.3. So what is your reason for needing zlib 1.3.1? Could you please clarify and elaborate in more detail, so we can better understand this issue that you reported?

Please let us know if you have any questions or concerns. Thanks!

raghupc · ‎Feb 13, 2024

Thanks @Revenera_Ian

in the below link provided by zlib they are claiming to have fixed the issue in 1.3.1

https://github.com/madler/zlib/issues/868

This is the confusion we are having whether the CVE which is CVE-2023-45853 got fixed in IS 2023R2

Thanks,

Raghavendra

Revenera_Ian · ‎Feb 13, 2024

You're welcome; we're happy to help. Thanks @raghupc

Yes, and what we're saying is that vulnerability CVE-2023-45853 is fixed in zlib 1.3, which is included in InstallShield 2023 R2. Please upgrade to InstallShield 2023 R2 to take advantage of this fix.

Please let us know if you have any questions or concerns. Thanks!

raghupc · ‎Feb 13, 2024

@Revenera_Ian It got fixed in zlib 1.3.1, but IS 2023R2 is showing zlib 1.3.0.1

both versions are different. If the CVE which is mentioned above got fixed in zlib 1.3.0.1 then we are good

Thanks

Revenera_Ian · ‎Feb 13, 2024

Thank you for clarifying @raghupc

I'm researching this issue for you, and I'll keep you posted.

Please let us know if you have any questions or concerns. Thanks!

Revenera_Ian · ‎Feb 27, 2024

Hi @raghupc,

Thank you for your patience.

Based on our analysis, InstallShield is not susceptible to this vulnerability. We've published the following article to help address any concerns regarding this:

https://community.flexera.com/t5/InstallShield-Knowledge-Base/CVE-2023-45853-zlib-vulnerability-impact-on-InstallShield/ta-p/309926

Please let us know if you have any questions or concerns. Thanks!