Fixed in 4.0.3 which is the latest (unstable) version in tree. Vulnerability filed for kuroneko. Package maintainers not added as CC at least initially since there is nothing to do if cleanup isn't necessary. https://www.cve.org/CVERecord?id=CVE-2023-48106 Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_resolve function in the mz_os.c file. https://github.com/zlib-ng/minizip-ng/issues/740#issuecomment-1807233928 The issue with this one is a filename of the form x/../fred. The code in mz_path_resolve tries to remove the .. by walking backwards to the preceding /. It wants to end up with the filename fred, but in this case there isn't a preceeding /, so it walks past the start of the buffer.
CVE-2023-48107 (https://github.com/zlib-ng/minizip-ng/issues/739): Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file.
