CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
klibc	24.04 LTS noble	Fixed 2.0.13-4ubuntu0.1
	23.10 mantic	Fixed 2.0.13-1ubuntu0.1
	22.04 LTS jammy	Fixed 2.0.10-4ubuntu0.1
	20.04 LTS focal	Fixed 2.0.7-1ubuntu5.2
	18.04 LTS bionic	Fixed 2.0.4-9ubuntu2.2+esm1 Ubuntu Pro
	16.04 LTS xenial	Fixed 2.0.4-8ubuntu1.16.04.4+esm2 Ubuntu Pro
	14.04 LTS trusty	Fixed 2.0.3-0ubuntu1.14.04.3+esm3 Ubuntu Pro
rsync	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Fixed 3.1.3-8ubuntu0.4
	18.04 LTS bionic	Fixed 3.1.2-2.1ubuntu1.5
	16.04 LTS xenial	Fixed 3.1.1-3ubuntu1.3+esm2 Ubuntu Pro
	14.04 LTS trusty	Not affected
zlib	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Fixed 1:1.2.11.dfsg-2ubuntu9.2
	20.04 LTS focal	Fixed 1:1.2.11.dfsg-2ubuntu1.5
	18.04 LTS bionic	Fixed 1:1.2.11.dfsg-0ubuntu2.2
	16.04 LTS xenial	Fixed 1:1.2.8.dfsg-2ubuntu4.3+esm2 Ubuntu Pro
	14.04 LTS trusty	Fixed 1:1.2.8.dfsg-1ubuntu1.1+esm2 Ubuntu Pro

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

mdeslaur

Since 3.1.3-7, rsync builds with the system zlib. Apps are only vulnerable if they use inflateGetHeader() and call inflate() in a loop. This fix caused a regression, see: https://www.openwall.com/lists/oss-security/2022/08/09/1 https://github.com/curl/curl/issues/9271 The second commit below fixes the regression.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
rsync	Upstream: 788f11e Upstream: 9e2921f
zlib	Upstream: eff308a Upstream: 1eb7682

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-5570-1
zlib vulnerability
17 August 2022

USN-5573-1
rsync vulnerability
18 August 2022

USN-5570-2
zlib vulnerability
17 October 2022

USN-6736-1
klibc vulnerabilities
16 April 2024

USN-6736-2
klibc vulnerabilities
23 May 2024