FS#75521 : [zlib] [security] CVE-2022-37434

FS#75521 - [zlib] [security] CVE-2022-37434

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 05 August 2022, 16:03 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:53 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	Pierre Schmitz (Pierre) Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Siegfried Metz (NiceGuy) (2022-09-23) Marcus Hoffmann (BubuIIC) (2022-08-29)
Private	No

Details

Description:
The zlib package is vulnerable to CVE-2022-37434. The attached diff adds the upstream commit to fix it.

Additional info:
https://vuldb.com/?id.205660
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1

zlib.diff (1.3 KiB)

This task depends upon

Closed by Levente Polyak (anthraxx)
Thursday, 13 October 2022, 13:53 GMT
Reason for closing: Fixed
Additional comments about closing: 1:1.2.12-3

Comment by T.J. Townsend (blakkheim) - Monday, 08 August 2022, 18:17 GMT

Updated patch with another upstream commit to fix an issue with the original commit.

zlib.diff (1.6 KiB)

Comment by Pierre Schmitz (Pierre) - Wednesday, 10 August 2022, 07:46 GMT

I'll likely wait for a new upstream release than cherry-picking single patches.See comment by upstream developer: https://github.com/madler/zlib/issues/686#issuecomment-1208448043

Comment by T.J. Townsend (blakkheim) - Sunday, 21 August 2022, 20:56 GMT

Upstream still hasn't made a release.

https://github.com/madler/zlib/issues/686
https://github.com/madler/zlib/issues/692

Comment by T.J. Townsend (blakkheim) - Monday, 05 September 2022, 17:53 GMT

It's been over a month now and still no release. I think we should consider backporting these two fixes like Debian/Ubuntu/*BSD have.

Comment by David Runge (dvzrv) - Wednesday, 12 October 2022, 07:54 GMT

@Pierre: Is there a reason why a core library would not get a security fix applied within a reasonable amount of time?

Zlib is used in many other packages and the potential for abusing this is rather large (especially as time passes without us fixing it).

Please apply both

https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

(as noted in https://www.openwall.com/lists/oss-security/2022/08/09/1).

Comment by Pierre Schmitz (Pierre) - Thursday, 13 October 2022, 13:45 GMT

@David: I simply followed the upstream author's suggestion to wait for the next patch release, which was tagged 6 hours ago: https://github.com/madler/zlib/blob/master/ChangeLog#L4-L14 I'd suggest to wait to e.g. tomorrow and check if the tgz was uploaded; otherwise use the GitHub tag.

I'll remove myself as maintainer as there are now two additional maintainers added.

Comment by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:52 GMT

@Pierre: That's not how we should handle security sensitive patches, I agree with David on this topic. With or without the release 6 hours ago this has been sitting around way too long.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#75521 - [zlib] [security] CVE-2022-37434

Details

Loading...