Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1016710: zlib: CVE-2022-37434
168 views
Skip to first unread message
Salvatore Bonaccorso
Aug 5, 2022, 3:40:04 PM8/5/22
to
Source: zlib
Version: 1:1.2.11.dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1:1.2.11.dfsg-1
Control: found -1 1:1.2.11.dfsg-2+deb11u1
Hi,
The following vulnerability was published for zlib.
CVE-2022-37434[0]:
| zlib through 1.2.12 has a heap-based buffer over-read or buffer
| overflow in inflate in inflate.c via a large gzip header extra field.
| NOTE: only applications that call inflateGetHeader are affected. Some
| common applications bundle the affected zlib source code but may be
| unable to call inflateGetHeader (e.g., see the nodejs/node reference).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
[1] https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
[2] https://github.com/ivd38/zlib_overflow
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 1:1.2.11.dfsg-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Control: found -1 1:1.2.11.dfsg-1
Control: found -1 1:1.2.11.dfsg-2+deb11u1
Hi,
The following vulnerability was published for zlib.
CVE-2022-37434[0]:
| zlib through 1.2.12 has a heap-based buffer over-read or buffer
| overflow in inflate in inflate.c via a large gzip header extra field.
| NOTE: only applications that call inflateGetHeader are affected. Some
| common applications bundle the affected zlib source code but may be
| unable to call inflateGetHeader (e.g., see the nodejs/node reference).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
[1] https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
[2] https://github.com/ivd38/zlib_overflow
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Salvatore Bonaccorso
Aug 9, 2022, 2:40:04 AM8/9/22
to
https://github.com/curl/curl/issues/9271
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
Regards,
Salvatore
Salvatore Bonaccorso
Aug 12, 2022, 5:00:03 PM8/12/22
to
Control: tags 1016710 + patch
Control: tags 1016710 + pending
Dear maintainer,
I've prepared an NMU for zlib (versioned as 1:1.2.11.dfsg-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
Control: tags 1016710 + pending
Dear maintainer,
I've prepared an NMU for zlib (versioned as 1:1.2.11.dfsg-4.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
Jan Korbel
Aug 22, 2022, 4:30:03 AM8/22/22
to
Hello.
Please is there a plan for stable?
Thanks.
JK
Please is there a plan for stable?
Thanks.
JK
Salvatore Bonaccorso
Aug 22, 2022, 3:50:03 PM8/22/22
to
Hello,
On Mon, Aug 22, 2022 at 10:15:09AM +0200, Jan Korbel wrote:
> Hello.
>
> Please is there a plan for stable?
Yes, this issue will be fixed as well via a DSA in stable.
Regards,
Salvatore
On Mon, Aug 22, 2022 at 10:15:09AM +0200, Jan Korbel wrote:
> Hello.
>
> Please is there a plan for stable?
Regards,
Salvatore
Jan Korbel
Aug 23, 2022, 3:00:02 AM8/23/22
to
Ok. I asked, because score of this CVE is 9.8 critical and there are
many deps (of public services) on zlib. For example apache, bind etc.
J.
many deps (of public services) on zlib. For example apache, bind etc.
J.
Chris Frey
Sep 2, 2022, 5:40:04 PM9/2/22
to
Please note that this same bug still exists in copies of the zlib
library in other packages, such as FireFox. It is unclear to me
that FireFox can never call its own inflateGetHeader() or a variation
of inflate() with the right EXTRA mode flag, simply by examination
of the source. But there are enough calls to zlib that it looks
worthwhile fixing there too.
- Chris
library in other packages, such as FireFox. It is unclear to me
that FireFox can never call its own inflateGetHeader() or a variation
of inflate() with the right EXTRA mode flag, simply by examination
of the source. But there are enough calls to zlib that it looks
worthwhile fixing there too.
- Chris
Niels Hendriks
Sep 4, 2022, 5:40:03 PM9/4/22
to
Hi,
Hopefully this is the right place to ask this.
We noticed that CVE-2022-37434 shows no fixed version for Debian buster ( https://security-tracker.debian.org/tracker/CVE-2022-37434 )
Since Bullseye received the fix a >7 days ago we were wondering when Buster would get an updated package.
The CVSS score is 9.8, that's why we thought it would also be fixed for Buster.
Thanks!
Niels
__________________________________________________________
RootNet B.V.
Helpdesk: 024 3500112 (9:00 - 17:30)
Service meldingen: rootnet.network
Meldingen via Twitter: twitter.com/RootnetNL
__________________________________________________________
RootNet B.V.
Helpdesk: 024 3500112 (9:00 - 17:30)
Service meldingen: rootnet.network
Meldingen via Twitter: twitter.com/RootnetNL
0 new messages