Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#75521 - [zlib] [security] CVE-2022-37434
Attached to Project:
Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 05 August 2022, 16:03 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:53 GMT
Opened by T.J. Townsend (blakkheim) - Friday, 05 August 2022, 16:03 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:53 GMT
|
DetailsDescription:
The zlib package is vulnerable to CVE-2022-37434. The attached diff adds the upstream commit to fix it. Additional info: https://vuldb.com/?id.205660 https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 |
This task depends upon
Closed by Levente Polyak (anthraxx)
Thursday, 13 October 2022, 13:53 GMT
Reason for closing: Fixed
Additional comments about closing: 1:1.2.12-3
Thursday, 13 October 2022, 13:53 GMT
Reason for closing: Fixed
Additional comments about closing: 1:1.2.12-3
https://github.com/madler/zlib/issues/686
https://github.com/madler/zlib/issues/692
Zlib is used in many other packages and the potential for abusing this is rather large (especially as time passes without us fixing it).
Please apply both
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
(as noted in https://www.openwall.com/lists/oss-security/2022/08/09/1).
I'll remove myself as maintainer as there are now two additional maintainers added.