Critical vulnerability CVE-2022-37434 in lxml introduced through zlib

Bug #2023529 reported by Michal Mirkowski
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxml
Invalid
Undecided
Unassigned

Bug Description

lxml uses a 3rd party package - zlib 1.2.12 which has CVE:
CVE-2022-37434 https://nvd.nist.gov/vuln/detail/CVE-2022-37434 - critical severity - 9.8 CVSS3
This vulnerability was removed in zlib 1.2.13.
I need an urgent information if lxml is exploitable or not.
When do you plan to update zlib version?

Regards,
Michal Mirkowski

CVE References

Revision history for this message
scoder (scoder) wrote :

zlib 1.2.13 was released two months before lxml 4.9.2, so the binary wheels probably picked it up. They always use the latest versions for zlib and iconv and include all library dependencies statically linked.

Note that you can always build your own lxml wheels locally, with or without statically linked libraries.

I'm assuming that this is resolved in 4.9.2.

Changed in lxml:
status: New → Fix Released
Revision history for this message
scoder (scoder) wrote :

… this does not apply to the Windows wheels, though, which use pre-built binary libs from
https://github.com/winlibs/zlib

The latest zlib version available there is still 1.2.12.

Revision history for this message
Michal Mirkowski (mmirkows) wrote :

Thank you for the response.
Could you please let winlibs vendor know about this zlib CVE issue - so that they can bump zlib version, release new winilib, so new lxml (free from this CVE) can be released?
By the way - the latest lxml 4.9.2 was released on 2022-12-13. Basing on winlibs tags: https://github.com/winlibs/zlib/tags winilibs updated zlib from 1.2.11 to 1.2.12 on Mar 31, 2022, so the latest version of lxml (for windows) includes zlib 1.2.11.
This zlib has additional CVE (which was removed in zlib 1.2.12): CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Do you know if lxml is affected by any of these two vulnerabilities?

Revision history for this message
scoder (scoder) wrote :

According to https://nvd.nist.gov/vuln/detail/CVE-2022-37434, the vulnerability requires calling zlib's inflateGetHeader(). Neither libxml2 nor lxml do that.

https://nvd.nist.gov/vuln/detail/CVE-2018-25032 is data dependent, but according to https://github.com/madler/zlib/issues/605, it requires use of the recently added "Z_FIXED" option, which (again) neither libxml2 nor lxml do.

So, after reading up on some of the details, I don't think that any of the two CVEs is relevant for lxml, whether on Windows or other systems.

I'll close this ticket as "invalid" then.

Changed in lxml:
status: Fix Released → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.