Critical vulnerability CVE-2022-37434 in lxml introduced through zlib

zlib 1.2.13 was released two months before lxml 4.9.2, so the binary wheels probably picked it up. They always use the latest versions for zlib and iconv and include all library dependencies statically linked.

Note that you can always build your own lxml wheels locally, with or without statically linked libraries.

I'm assuming that this is resolved in 4.9.2.

… this does not apply to the Windows wheels, though, which use pre-built binary libs from
https://github.com/winlibs/zlib

The latest zlib version available there is still 1.2.12.

Thank you for the response.
Could you please let winlibs vendor know about this zlib CVE issue - so that they can bump zlib version, release new winilib, so new lxml (free from this CVE) can be released?
By the way - the latest lxml 4.9.2 was released on 2022-12-13. Basing on winlibs tags: https://github.com/winlibs/zlib/tags winilibs updated zlib from 1.2.11 to 1.2.12 on Mar 31, 2022, so the latest version of lxml (for windows) includes zlib 1.2.11.
This zlib has additional CVE (which was removed in zlib 1.2.12): CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2018-25032
Do you know if lxml is affected by any of these two vulnerabilities?

According to https://nvd.nist.gov/vuln/detail/CVE-2022-37434, the vulnerability requires calling zlib's inflateGetHeader(). Neither libxml2 nor lxml do that.

https://nvd.nist.gov/vuln/detail/CVE-2018-25032 is data dependent, but according to https://github.com/madler/zlib/issues/605, it requires use of the recently added "Z_FIXED" option, which (again) neither libxml2 nor lxml do.

So, after reading up on some of the details, I don't think that any of the two CVEs is relevant for lxml, whether on Windows or other systems.

I'll close this ticket as "invalid" then.