FS#75521 - [zlib] [security] CVE-2022-37434

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Friday, 05 August 2022, 16:03 GMT
Last edited by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:53 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


The zlib package is vulnerable to CVE-2022-37434. The attached diff adds the upstream commit to fix it.

Additional info:
This task depends upon

Closed by  Levente Polyak (anthraxx)
Thursday, 13 October 2022, 13:53 GMT
Reason for closing:  Fixed
Additional comments about closing:  1:1.2.12-3
Comment by T.J. Townsend (blakkheim) - Monday, 08 August 2022, 18:17 GMT
Updated patch with another upstream commit to fix an issue with the original commit.
Comment by Pierre Schmitz (Pierre) - Wednesday, 10 August 2022, 07:46 GMT
I'll likely wait for a new upstream release than cherry-picking single patches.See comment by upstream developer: https://github.com/madler/zlib/issues/686#issuecomment-1208448043
Comment by T.J. Townsend (blakkheim) - Sunday, 21 August 2022, 20:56 GMT Comment by T.J. Townsend (blakkheim) - Monday, 05 September 2022, 17:53 GMT
It's been over a month now and still no release. I think we should consider backporting these two fixes like Debian/Ubuntu/*BSD have.
Comment by David Runge (dvzrv) - Wednesday, 12 October 2022, 07:54 GMT
@Pierre: Is there a reason why a core library would not get a security fix applied within a reasonable amount of time?

Zlib is used in many other packages and the potential for abusing this is rather large (especially as time passes without us fixing it).

Please apply both


(as noted in https://www.openwall.com/lists/oss-security/2022/08/09/1).
Comment by Pierre Schmitz (Pierre) - Thursday, 13 October 2022, 13:45 GMT
@David: I simply followed the upstream author's suggestion to wait for the next patch release, which was tagged 6 hours ago: https://github.com/madler/zlib/blob/master/ChangeLog#L4-L14 I'd suggest to wait to e.g. tomorrow and check if the tgz was uploaded; otherwise use the GitHub tag.

I'll remove myself as maintainer as there are now two additional maintainers added.
Comment by Levente Polyak (anthraxx) - Thursday, 13 October 2022, 13:52 GMT
@Pierre: That's not how we should handle security sensitive patches, I agree with David on this topic. With or without the release 6 hours ago this has been sitting around way too long.