Ubuntu
zlib package

Missing fix for CVE-2022-37434 in zlib1g in focal and jammy

Bug #1988548 reported by Felix Herrmann
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
zlib (Ubuntu)
Fix Released
Undecided
Rodrigo Figueiredo Zaiden

Bug Description

There is a crictical security issue with zlib tracked here [1]

The newest version in bionic [2] already has a security patch for it but the one in the focal [3] (and jammy) does not. As can be seen from their respective changelogs in the right hand side panel.

Since zlib is loaded by lots of software, e.g. the apache weg server, this could be a problem. It seems that focal, jammy and bionic use the same base zlib version (1.2.11), so maybe the patch there could be recycled?

I was asked to create a bug here after asking it as question here [4].
Thank you very much for your hard work!

[1] CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
[2] Bionic Package: https://packages.ubuntu.com/bionic/zlib1g
[3] Focal Package: https://packages.ubuntu.com/focal/zlib1g
[4] Original Question: https://answers.launchpad.net/ubuntu/+source/zlib/+question/703010

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in zlib (Ubuntu):
status: New → Confirmed
Revision history for this message
Charles Evans (crtiger) wrote :

I manually installed the fixed zlib from kinetic.
So far it is working.
Could someone put it in proposed for focal and jammy so it will be on the livecd's?

Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
Changed in zlib (Ubuntu):
assignee: nobody → Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
Rodrigo Figueiredo Zaiden (rodrigo-zaiden)
Changed in zlib (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package zlib - 1:1.2.11.dfsg-2ubuntu9.2

---------------
zlib (1:1.2.11.dfsg-2ubuntu9.2) jammy-security; urgency=medium

  * SECURITY UPDATE: heap-based buffer over-read (LP: #1988548)
    - debian/patches/CVE-2022-37434-1.patch: in inflate.c, add an extra
      condition to check if state->head->extra_max is greater than len
      before copying, and move the len assignment to be placed before the
      check.
    - debian/patches/CVE-2022-37434-2.patch: in the previous patch, in
      inflate.c, the place of the len assignment was causing issues so it
      was moved to be placed within the check.
    - CVE-2022-37434

 -- Rodrigo Figueiredo Zaiden <email address hidden> Fri, 14 Oct 2022 18:33:00 -0300

Changed in zlib (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.