Re: zlib buffer overflow

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 8/5/22 13:53, Evgeny Legerov wrote:
> Heap overflow has been fixed in zlib - 
> https://www.cve.org/CVERecord?id=CVE-2022-37434

Expanding this for the benefit of list members and the archives:

The CVE description is:

   zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
   in inflate in inflate.c via a large gzip header extra field.

   NOTE: only applications that call inflateGetHeader are affected. Some
   common applications bundle the affected zlib source code but may be unable
   to call inflateGetHeader (e.g., see the nodejs/node reference).

where the nodejs reference is to:

https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764

The reproducer is posted at https://github.com/ivd38/zlib_overflow and
notes the issue was found by Evgeny Legerov of @intevydis - who is
presumably our original poster here.

The initial fix upstream was:

    If the extra field was larger than the space the user provided with
    inflateGetHeader(), and if multiple calls of inflate() delivered
    the extra header data, then there could be a buffer overflow of the
    provided space. This commit assures that provided space is not
    exceeded.

from https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1

*but* the curl developers found that crashed in their testing, as reported
in comments on the above commit and https://github.com/curl/curl/issues/9271
so a followup fix upstream today made sure not to dereference state->head
until *after* the check for it not being NULL:

https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris