Comment 0 for bug 1994108

Revision history for this message
Yue Tao (wrytao) wrote : [Debian] CVE-2022-37434: zlib: a heap-based buffer over-read or buffer overflow

CVE-2022-37434: [https://nvd.nist.gov/vuln/detail/CVE-2022-37434]
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-37434 fixed 9.8 N L N N H

References:
https://security-tracker.debian.org/tracker/DSA-5218-1

['zlib1g_1:1.2.11.dfsg-2_amd64.deb===>zlib1g_1:1.2.11.dfsg-2+deb11u2_amd64.deb', 'zlib1g-dev_1:1.2.11.dfsg-2_amd64.deb===>zlib1g-dev_1:1.2.11.dfsg-2+deb11u2_amd64.deb']

Found during August 2022 CVE scan using vulscan