Summary

A critical vulnerability (CVE-2023-45853) is reported in 1.3 version of zlib component (https://github.com/madler/zlib) This article discusses the impact, if any, on InstallShield.

Description

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field.

Upon analysis, InstallShield Basic MSI, InstallScript, InstallScript MSI and Suite project setups are not affected by this vulnerability as these projects do not use MiniZip component. InstallShield MSIX/APPX project flow uses MiniZip, but there are no scenarios that involves the use of comment, extra field and long filenames.

Hence InstallShield setups are not impacted by this vulnerability.

Resolution

As a Defense-in-Depth (DiD) measure, the zlib repository change, which fixes the vulnerability for zlib upstream, has been manually merged into the InstallShield 2023 R2 release.

As the utilized version is based on zlib version 1.3.0.1, security software may still highlight InstallShield Setups as potentially vulnerable; however, this constitutes a false positive and can be safely ignored. We are actively working on migrating zlib to version 1.3.1 to reduce false positive warnings in the future. This page will be updated shortly with hotfix availability details.

References

NVD - CVE-2023-45853 (nist.gov)