Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 863851 (CVE-2022-37434) - <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader()
Summary: <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader()
Status: CONFIRMED
Alias: CVE-2022-37434
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/ivd38/zlib_overflow
Whiteboard: A3 [glsa? cleanup]
Keywords:
Depends on: 866241
Blocks:
  Show dependency tree
 
Reported: 2022-08-05 17:41 UTC by John Helmert III
Modified: 2022-08-24 17:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-05 17:41:23 UTC
CVE-2022-37434:

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Patch: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 01:53:37 UTC
I was deliberately waiting for fallout for a few days before applying. Apparently that was a good idea: https://github.com/curl/curl/issues/9271.

https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d is needed too.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-16 00:52:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fd542aa1119b54b8ba2bb79817f7016d0cacad

commit 05fd542aa1119b54b8ba2bb79817f7016d0cacad
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-08-16 00:52:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-16 00:52:04 +0000

    sys-libs/zlib: patch CVE-2022-37434
    
    (includes the additional fix which curl exposed too)
    
    Bug: https://bugs.gentoo.org/863851
    Signed-off-by: Sam James <sam@gentoo.org>

 .../zlib/files/zlib-1.2.12-CVE-2022-37434.patch    |  55 ++++++
 sys-libs/zlib/zlib-1.2.12-r3.ebuild                | 199 +++++++++++++++++++++
 2 files changed, 254 insertions(+)