| Summary: | zlib new security issue CVE-2022-37434 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, mageia, nicolas.salguero, sysadmin-bugs, tmb |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | zlib-1.2.12-1.1.mga8.src.rpm | CVE: | CVE-2022-37434 |
| Status comment: | |||
|
Description
David Walser
2022-08-06 15:24:13 CEST
David Walser
2022-08-06 15:24:31 CEST
Whiteboard:
(none) =>
MGA8TOO This SRPM has had different maintainers, so assigning the update globally. CC'ing tmb & NicolasS who have dealt with it recently, and might want to do this update. Assignee:
bugsquad =>
pkg-bugs fixed in mga8/9
src:
- zlib-1.2.12-1.2.mga8CC:
(none) =>
mageia libzlib-devel-1.2.12-1.2.mga8 libzlib-static-devel-1.2.12-1.2.mga8 libzlib1-1.2.12-1.2.mga8 libminizip1-1.2.12-1.2.mga8 libminizip-devel-1.2.12-1.2.mga8 from zlib-1.2.12-1.2.mga8.src.rpm See here: https://www.openwall.com/lists/oss-security/2022/08/09/1 A second commit needs to be added to fix a regression. Keywords:
(none) =>
feedback Ubuntu has issued an advisory for this on August 17: https://ubuntu.com/security/notices/USN-5570-1 Assignee:
qa-bugs =>
mageia Debian has issued an advisory for this on August 25: https://www.debian.org/security/2022/dsa-5218 Status comment:
(none) =>
Second patch needs to be added to fix regression Suggested advisory: ======================== The updated packages fix a security vulnerability: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). (CVE-2022-37434) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 https://www.openwall.com/lists/oss-security/2022/08/09/1 https://ubuntu.com/security/notices/USN-5570-1 https://www.debian.org/security/2022/dsa-5218 ======================== Updated packages in core/updates_testing: ======================== lib(64)minizip1-1.2.12-1.3.mga8 lib(64)minizip-devel-1.2.12-1.3.mga8 lib(64)zlib1-1.2.12-1.3.mga8 lib(64)zlib-devel-1.2.12-1.3.mga8 lib(64)zlib-static-devel-1.2.12-1.3.mga8 from SRPM: zlib-1.2.12-1.3.mga8.src.rpm CVE:
(none) =>
CVE-2022-37434 Fedora has issued an advisory for this today (September 2): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/ MGA8-64 Plasma. No installation issues. Repeated the test from https://bugs.mageia.org/show_bug.cgi?id=30204#c7 except with different object files, with the same results. Validating. Advisory in Comment 7. Keywords:
(none) =>
validated_update
Dave Hodgins
2022-09-16 19:54:21 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0328.html Status:
ASSIGNED =>
RESOLVED |