Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 863851 (CVE-2022-37434) - <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader()
Summary: <sys-libs/zlib-1.2.12-r3: buffer overread in inflateGetHeader()
Alias: CVE-2022-37434
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa? cleanup]
Depends on: 866241
  Show dependency tree
Reported: 2022-08-05 17:41 UTC by John Helmert III
Modified: 2022-08-24 17:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-05 17:41:23 UTC

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-09 01:53:37 UTC
I was deliberately waiting for fallout for a few days before applying. Apparently that was a good idea: is needed too.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-16 00:52:15 UTC
The bug has been referenced in the following commit(s):

commit 05fd542aa1119b54b8ba2bb79817f7016d0cacad
Author:     Sam James <>
AuthorDate: 2022-08-16 00:52:04 +0000
Commit:     Sam James <>
CommitDate: 2022-08-16 00:52:04 +0000

    sys-libs/zlib: patch CVE-2022-37434
    (includes the additional fix which curl exposed too)
    Signed-off-by: Sam James <>

 .../zlib/files/zlib-1.2.12-CVE-2022-37434.patch    |  55 ++++++
 sys-libs/zlib/zlib-1.2.12-r3.ebuild                | 199 +++++++++++++++++++++
 2 files changed, 254 insertions(+)