Debian CVE-2022-37434 / CVE-2018-25032 : zlib: multiple CVEs

Bug #1994108 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Zhixiong Chi

Bug Description

CVE-2022-37434: [https://nvd.nist.gov/vuln/detail/CVE-2022-37434]
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

CVE-2018-25032: [https://nvd.nist.gov/vuln/detail/CVE-2018-25032]
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-37434 fixed 9.8 N L N N H
CVE-2018-25032 fixed 7.5 N L N N H

References:
https://security-tracker.debian.org/tracker/DSA-5218-1

['zlib1g_1:1.2.11.dfsg-2_amd64.deb===>zlib1g_1:1.2.11.dfsg-2+deb11u2_amd64.deb', 'zlib1g-dev_1:1.2.11.dfsg-2_amd64.deb===>zlib1g-dev_1:1.2.11.dfsg-2+deb11u2_amd64.deb']

Found during August 2022 CVE scan using vulscan

CVE References

Yue Tao (wrytao)
summary: - [Debian] CVE-2022-37434: zlib: a heap-based buffer over-read or buffer
- overflow
+ Debian CVE-2022-37434 / CVE-2018-25032 : zlib: multiple CVEs
description: updated
Revision history for this message
Ghada Khalil (gkhalil) wrote :

screening: stx.8.0 / medium - CVE meets the stx fix criteria

Changed in starlingx:
status: New → Triaged
importance: Undecided → Medium
tags: added: stx.8.0 stx.security
information type: Public → Public Security
Changed in starlingx:
assignee: nobody → Zhixiong Chi (zhixiongchi)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/863874

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/863874
Committed: https://opendev.org/starlingx/tools/commit/165ec605fe0295181aa0cfde5ebc168267fb5cc4
Submitter: "Zuul (22348)"
Branch: master

commit 165ec605fe0295181aa0cfde5ebc168267fb5cc4
Author: Zhixiong Chi <email address hidden>
Date: Mon Nov 7 14:16:07 2022 +0800

    Debian: zlib: fix CVE-2022-37434 and CVE-2018-25032

    Upgrade zlib1g to 1:1.2.11.dfsg-2+deb11u2
    Upgrade zlib1g-dev to 1:1.2.11.dfsg-2+deb11u2

    Refer to:
    https://security-tracker.debian.org/tracker/DSA-5111-1
    https://security-tracker.debian.org/tracker/DSA-5218-1

    Test Plan:
    Pass: build-pkgs -c -a
    Pass: build-image

    Closes-Bug: 1994108

    Signed-off-by: Zhixiong Chi <email address hidden>
    Change-Id: I148089321875b5a8ab8d4f23a0af186ea3638afa

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.