CVE-2022-37434 zlib in Mysql Client

What's the output of:

apt-cache policy libmysqlclient-dev

apt-cache policy libmysqlclient-dev

libmysqlclient-dev:
  Installed: 8.0.31-0ubuntu0.22.04.1
  Candidate: 8.0.31-0ubuntu0.22.04.1
  Version table:
 *** 8.0.31-0ubuntu0.22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     8.0.28-0ubuntu4 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

So, it looks like starting with MySQL 8.0.30 it now requires zlib 1.2.12 and if it's not available from the system libs, it uses its own internal copy.

In MySQL 8.0.31, which is the current version in Ubuntu 22.04 LTS, zlib has not been updated to fix CVE-2022-37434.

CVE-2022-37434 is only an issue if an application using zlib calls inflateGetHeader, and a quick glance at the MySQL source code doesn't seem to indicate the vulnerable function is being used, which may explain why Oracle has not bothered to patch the bundled zlib.

While the embedded zlib library in MySQL may be vulnerable, the vulnerable function is not used. Perhaps a later version of MySQL will update the internal zlib, but we will not be fixing this issue as a distro patch.