Your submission was sent successfully! Close

CVE-2022-37434

Published: 5 August 2022

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Notes

AuthorNote
mdeslaur
Since 3.1.3-7, rsync builds with the system zlib.
Apps are only vulnerable if they use inflateGetHeader() and
call inflate() in a loop.
This fix caused a regression, see:
https://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
The second commit below fixes the regression.
Priority

Medium

Status

Package Release Status
rsync
Launchpad, Ubuntu, Debian
bionic Needed

focal Needed

jammy Not vulnerable
(uses system zlib)
trusty Not vulnerable
(uses system zlib)
upstream Needs triage

xenial Needed

zlib
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Needs triage

jammy Needs triage

trusty Needs triage

upstream Needs triage

xenial Needs triage

Patches:
upstream: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
upstream: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d