Summary: | <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader() | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/ivd38/zlib_overflow | ||
See Also: | https://github.com/curl/curl/issues/9271 | ||
Whiteboard: | A3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 866241 | ||
Bug Blocks: | 901981 |
Description
John Helmert III
2022-08-05 17:41:23 UTC
I was deliberately waiting for fallout for a few days before applying. Apparently that was a good idea: https://github.com/curl/curl/issues/9271. https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d is needed too. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fd542aa1119b54b8ba2bb79817f7016d0cacad commit 05fd542aa1119b54b8ba2bb79817f7016d0cacad Author: Sam James <sam@gentoo.org> AuthorDate: 2022-08-16 00:52:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-08-16 00:52:04 +0000 sys-libs/zlib: patch CVE-2022-37434 (includes the additional fix which curl exposed too) Bug: https://bugs.gentoo.org/863851 Signed-off-by: Sam James <sam@gentoo.org> .../zlib/files/zlib-1.2.12-CVE-2022-37434.patch | 55 ++++++ sys-libs/zlib/zlib-1.2.12-r3.ebuild | 199 +++++++++++++++++++++ 2 files changed, 254 insertions(+) commit a45d9ec6a1ebfa9e49ad1f0842f54128e54c8f03 Author: Sam James <sam@gentoo.org> Date: Fri Sep 23 03:02:45 2022 +0100 sys-libs/zlib: drop 1.2.11-r4, 1.2.11-r5, 1.2.12-r2 Signed-off-by: Sam James <sam@gentoo.org> GLSA request filed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=19befd853907b89ff1a5ea81ae63b19dbb1d7655 commit 19befd853907b89ff1a5ea81ae63b19dbb1d7655 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-10-31 20:36:54 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-10-31 20:37:38 +0000 [ GLSA 202210-42 ] zlib: Multiple vulnerabilities Bug: https://bugs.gentoo.org/835958 Bug: https://bugs.gentoo.org/863851 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202210-42.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) GLSA released, all done! |