zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
I was deliberately waiting for fallout for a few days before applying. Apparently that was a good idea: https://github.com/curl/curl/issues/9271.
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d is needed too.
The bug has been referenced in the following commit(s):
Author: Sam James <firstname.lastname@example.org>
AuthorDate: 2022-08-16 00:52:04 +0000
Commit: Sam James <email@example.com>
CommitDate: 2022-08-16 00:52:04 +0000
sys-libs/zlib: patch CVE-2022-37434
(includes the additional fix which curl exposed too)
Signed-off-by: Sam James <firstname.lastname@example.org>
.../zlib/files/zlib-1.2.12-CVE-2022-37434.patch | 55 ++++++
sys-libs/zlib/zlib-1.2.12-r3.ebuild | 199 +++++++++++++++++++++
2 files changed, 254 insertions(+)