Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-37434

Published: 5 August 2022

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Notes

AuthorNote
mdeslaur
Since 3.1.3-7, rsync builds with the system zlib.
Apps are only vulnerable if they use inflateGetHeader() and
call inflate() in a loop.
This fix caused a regression, see:
https://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
The second commit below fixes the regression.

Priority

Medium

Cvss 3 Severity Score

9.8

Score breakdown

Status

Package Release Status
rsync
Launchpad, Ubuntu, Debian
bionic
Released (3.1.2-2.1ubuntu1.5)
jammy Not vulnerable
(uses system zlib)
kinetic Not vulnerable
(uses system zlib)
trusty Not vulnerable
(uses system zlib)
upstream Needs triage

xenial
Released (3.1.1-3ubuntu1.3+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
focal
Released (3.1.3-8ubuntu0.4)
Patches:
upstream: https://github.com/WayneD/rsync/commit/788f11ea6afeb96f0d84f140192165a1ca12ade4
upstream: https://github.com/WayneD/rsync/commit/9e2921fce8c518e370c324407d35bc83ba12f2d5


zlib
Launchpad, Ubuntu, Debian
bionic
Released (1:1.2.11.dfsg-0ubuntu2.2)
kinetic Not vulnerable
(1:1.2.11.dfsg-4.1ubuntu1)
trusty
Released (1:1.2.8.dfsg-1ubuntu1.1+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (1:1.2.8.dfsg-2ubuntu4.3+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
upstream
Released (1.2.13, 1:1.2.11.dfsg-4.1)
focal
Released (1:1.2.11.dfsg-2ubuntu1.5)
jammy
Released (1:1.2.11.dfsg-2ubuntu9.2)
Patches:


upstream: https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
upstream: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

Severity score breakdown

Parameter Value
Base score 9.8
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H