Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 863851

Summary: <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader()
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/ivd38/zlib_overflow
See Also: https://github.com/curl/curl/issues/9271
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 866241    
Bug Blocks: 901981    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-05 17:41:23 UTC 
CVE-2022-37434:

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Patch: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 01:53:37 UTC 
I was deliberately waiting for fallout for a few days before applying. Apparently that was a good idea: https://github.com/curl/curl/issues/9271.

https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d is needed too.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-16 00:52:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fd542aa1119b54b8ba2bb79817f7016d0cacad

commit 05fd542aa1119b54b8ba2bb79817f7016d0cacad
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-16 00:52:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-16 00:52:04 +0000

    sys-libs/zlib: patch CVE-2022-37434
    
    (includes the additional fix which curl exposed too)
    
    Bug: https://bugs.gentoo.org/863851
    Signed-off-by: Sam James <sam@gentoo.org>

 .../zlib/files/zlib-1.2.12-CVE-2022-37434.patch    |  55 ++++++
 sys-libs/zlib/zlib-1.2.12-r3.ebuild                | 199 +++++++++++++++++++++
 2 files changed, 254 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 22:22:13 UTC 
commit a45d9ec6a1ebfa9e49ad1f0842f54128e54c8f03
Author: Sam James <sam@gentoo.org>
Date:   Fri Sep 23 03:02:45 2022 +0100

    sys-libs/zlib: drop 1.2.11-r4, 1.2.11-r5, 1.2.12-r2

    Signed-off-by: Sam James <sam@gentoo.org>
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-14 22:22:19 UTC 
GLSA request filed.
Comment 5 Larry the Git Cow gentoo-dev 2022-10-31 20:37:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=19befd853907b89ff1a5ea81ae63b19dbb1d7655

commit 19befd853907b89ff1a5ea81ae63b19dbb1d7655
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:36:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:37:38 +0000

    [ GLSA 202210-42 ] zlib: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/835958
    Bug: https://bugs.gentoo.org/863851
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-42.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:40:01 UTC 
GLSA released, all done!