According to https://nvd.nist.gov/vuln/detail/CVE-2022-37434, the vulnerability requires calling zlib's inflateGetHeader(). Neither libxml2 nor lxml do that.
https://nvd.nist.gov/vuln/detail/CVE-2018-25032 is data dependent, but according to https://github.com/madler/zlib/issues/605, it requires use of the recently added "Z_FIXED" option, which (again) neither libxml2 nor lxml do.
So, after reading up on some of the details, I don't think that any of the two CVEs is relevant for lxml, whether on Windows or other systems.
I'll close this ticket as "invalid" then.
According to https:/ /nvd.nist. gov/vuln/ detail/ CVE-2022- 37434, the vulnerability requires calling zlib's inflateGetHeader(). Neither libxml2 nor lxml do that.
https:/ /nvd.nist. gov/vuln/ detail/ CVE-2018- 25032 is data dependent, but according to https:/ /github. com/madler/ zlib/issues/ 605, it requires use of the recently added "Z_FIXED" option, which (again) neither libxml2 nor lxml do.
So, after reading up on some of the details, I don't think that any of the two CVEs is relevant for lxml, whether on Windows or other systems.
I'll close this ticket as "invalid" then.