nodejs · nodejs-github-bot · Jun 28, 2026
diff --git a/deps/zlib/contrib/minizip/unzip.c b/deps/zlib/contrib/minizip/unzip.c
@@ -1439,6 +1439,8 @@ local int unz64local_CheckCurrentFileCoherencyHeader(unz64_s* s, uInt* piSizeVar
 */
     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uFlags) != UNZ_OK)
         err=UNZ_ERRNO;
+    else if ((err==UNZ_OK) && ((uFlags & 1) != (s->cur_file_info.flag & 1)))
+        err=UNZ_BADZIPFILE; /* LFH/CD encryption flag mismatch */
 
     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uData) != UNZ_OK)
         err=UNZ_ERRNO;

diff --git a/deps/zlib/contrib/tests/utils_unittest.cc b/deps/zlib/contrib/tests/utils_unittest.cc
@@ -1424,6 +1424,29 @@ TEST(ZlibTest, ZipUnicodePathExtra) {
   EXPECT_EQ(unzClose(uzf), UNZ_OK);
 }
 
+TEST(ZlibTest, ZipEncryptionFlagMismatch) {
+  // Test archive created with info-zip:
+  // $ echo -n a > a && zip -P a -k a.zip a
+  // and then hex-edited to drop the encrypted flag from the central directory.
+  base::FilePath zip_file = TestDataDir().AppendASCII("enc_flag_mismatch.zip");
+
+  unzFile uzf = unzOpen(zip_file.AsUTF8Unsafe().c_str());
+  ASSERT_NE(uzf, nullptr);
+
+  char name[100];
+  unz_file_info file_info;
+
+  ASSERT_EQ(unzGoToFirstFile(uzf), UNZ_OK);
+  ASSERT_EQ(unzGetCurrentFileInfo(uzf, &file_info, name, sizeof(name),
+                                  nullptr, 0, nullptr, 0), UNZ_OK);
+  ASSERT_EQ(std::string(name), "A");
+
+  // minizip should reject the member due to lfh/cd encrypted flag mismatch.
+  EXPECT_EQ(unzOpenCurrentFilePassword(uzf, "a"), UNZ_BADZIPFILE);
+
+  EXPECT_EQ(unzClose(uzf), UNZ_OK);
+}
+
 TEST(ZlibTest, Crbug500521311) {
   base::FilePath zip_file = TestDataDir().AppendASCII("bug500521311.zip");
   unzFile uzf = unzOpen(zip_file.AsUTF8Unsafe().c_str());

diff --git a/deps/zlib/google/test/data/enc_flag_mismatch.zip b/deps/zlib/google/test/data/enc_flag_mismatch.zip
diff --git a/deps/zlib/google/test_data.filelist b/deps/zlib/google/test_data.filelist
@@ -19,6 +19,7 @@ test/data/bug500521311.zip
 test/data/create_symlink_test_zips.py
 test/data/create_test_zip.sh
 test/data/empty.zip
+test/data/enc_flag_mismatch.zip
 test/data/evil.zip
 test/data/evil_via_absolute_file_name.zip
 test/data/evil_via_invalid_utf8.zip

diff --git a/deps/zlib/google/zip_reader_unittest.cc b/deps/zlib/google/zip_reader_unittest.cc
@@ -558,6 +558,24 @@ TEST_F(ZipReaderTest, EncryptedFile_RightPassword) {
   EXPECT_TRUE(reader.ok());
 }
 
+// An entry whose local file header has the "encrypted" general-purpose flag
+// bit set while the central directory does not should be rejected.
+TEST_F(ZipReaderTest, MismatchedEncryptionFlag) {
+  ZipReader reader;
+  ASSERT_TRUE(reader.Open(data_dir_.AppendASCII("enc_flag_mismatch.zip")));
+
+  const ZipReader::Entry* entry = reader.Next();
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(base::FilePath::FromASCII("A"), entry->path);
+  EXPECT_FALSE(entry->is_directory);
+  std::string contents = "dummy";
+  EXPECT_FALSE(reader.ExtractCurrentEntryToString(&contents));
+  EXPECT_EQ("", contents);
+
+  EXPECT_FALSE(reader.Next());
+  EXPECT_TRUE(reader.ok());
+}
+
 // Verifies that the ZipReader class can extract a file from a zip archive
 // stored in memory. This test opens a zip archive in a std::string object,
 // extracts its content, and verifies the content is the same as the expected

diff --git a/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch b/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch
@@ -26,3 +26,31 @@ index 82275d6c1775d..c8a01b23efd42 100644
          s->encrypted=1;
      }
  #    endif
+
+commit 874ed6b46a4f75407829e510db77cc673a4c86e7
+Author: Hans Wennborg <hans@chromium.org>
+Date:   Mon Jun 15 11:33:46 2026 +0200
+
+    Check LFH / CD encryption flag consistency
+
+    unz64local_CheckCurrentFileCoherencyHeader performs various consistency
+    checks on the values in the Local File Header and Central Directory.
+    Make it check the encryption flag as well.
+
+    Bug: 514461031
+    Change-Id: Ifaf8620c6e0c345118712bce6e1206bbb83b3a2d
+    Reviewed-on: https://chromium-review.googlesource.com/7942389
+
+diff --git a/third_party/zlib/contrib/minizip/unzip.c b/third_party/zlib/contrib/minizip/unzip.c
+index 0264f7ac570f7..4eb0de302cfdf 100644
+--- a/third_party/zlib/contrib/minizip/unzip.c
++++ b/third_party/zlib/contrib/minizip/unzip.c
+@@ -1439,6 +1439,8 @@ local int unz64local_CheckCurrentFileCoherencyHeader(unz64_s* s, uInt* piSizeVar
+ */
+     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uFlags) != UNZ_OK)
+         err=UNZ_ERRNO;
++    else if ((err==UNZ_OK) && ((uFlags & 1) != (s->cur_file_info.flag & 1)))
++        err=UNZ_BADZIPFILE; /* LFH/CD encryption flag mismatch */
+
+     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uData) != UNZ_OK)
+         err=UNZ_ERRNO;
diff --git a/src/zlib_version.h b/src/zlib_version.h
@@ -2,5 +2,5 @@
 // Refer to tools/dep_updaters/update-zlib.sh
 #ifndef SRC_ZLIB_VERSION_H_
 #define SRC_ZLIB_VERSION_H_
-#define ZLIB_VERSION "1.3.2.1-motley-3246f1b"
+#define ZLIB_VERSION "1.3.2.1-motley-8b3aa8a"
 #endif  // SRC_ZLIB_VERSION_H_