On Fri, Aug 05, 2022 at 09:26:31PM +0200, Salvatore Bonaccorso wrote: > Source: zlib > Version: 1:1.2.11.dfsg-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 1:1.2.11.dfsg-1 > Control: found -1 1:1.2.11.dfsg-2+deb11u1 > > Hi, > > The following vulnerability was published for zlib. > > CVE-2022-37434[0]: > | zlib through 1.2.12 has a heap-based buffer over-read or buffer > | overflow in inflate in inflate.c via a large gzip header extra field. > | NOTE: only applications that call inflateGetHeader are affected. Some > | common applications bundle the affected zlib source code but may be > | unable to call inflateGetHeader (e.g., see the nodejs/node reference). > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2022-37434 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 > [1] > https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 > [2] https://github.com/ivd38/zlib_overflow > > Please adjust the affected versions in the BTS as needed.
There is an additional followup commit due to regression in curl: https://github.com/curl/curl/issues/9271 https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Regards, Salvatore
