oss-sec mailing list archives
Re: zlib buffer overflow
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Mon, 8 Aug 2022 18:31:59 -0700
On 8/5/22 13:53, Evgeny Legerov wrote:
Heap overflow has been fixed in zlib - https://www.cve.org/CVERecord?id=CVE-2022-37434
Expanding this for the benefit of list members and the archives: The CVE description is: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). where the nodejs reference is to: https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764 The reproducer is posted at https://github.com/ivd38/zlib_overflow and notes the issue was found by Evgeny Legerov of @intevydis - who is presumably our original poster here. The initial fix upstream was: If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. from https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 *but* the curl developers found that crashed in their testing, as reported in comments on the above commit and https://github.com/curl/curl/issues/9271 so a followup fix upstream today made sure not to dereference state->head until *after* the check for it not being NULL: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- zlib buffer overflow Evgeny Legerov (Aug 05)
- Re: zlib buffer overflow Alan Coopersmith (Aug 08)