zlib缓冲区错误漏洞（CVE-2022-37434）

admin

0
文章

0
评论

2023-11-30 06:35:16 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 zlib缓冲区错误漏洞（CVE-2022-37434）

CVE编号

CVE-2022-37434

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-08-05

漏洞描述

zlib是美国Mark Adler个人开发者的一个通用的数据压缩库。 zlib 1.2.12版本存在缓冲区错误漏洞，该漏洞源于在inflate.c中通过一个大的gzip标头额外字段在inflate中具有基于堆的缓冲区过度读取或缓冲区溢出。

解决建议

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页：https://github.com/madler/zlib/

参考链接
http://seclists.org/fulldisclosure/2022/Oct/37
http://seclists.org/fulldisclosure/2022/Oct/38
http://seclists.org/fulldisclosure/2022/Oct/41
http://seclists.org/fulldisclosure/2022/Oct/42
http://www.openwall.com/lists/oss-security/2022/08/05/2
http://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/...
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/...
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://security.netapp.com/advisory/ntap-20220901-0005/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://support.apple.com/kb/HT213488
https://support.apple.com/kb/HT213489
https://support.apple.com/kb/HT213490
https://support.apple.com/kb/HT213491
https://support.apple.com/kb/HT213493
https://support.apple.com/kb/HT213494
https://www.debian.org/security/2022/dsa-5218

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	zlib	zlib	*		Up to (including) 1.2.12
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	zlib-static	*		Up to (excluding) 1.2.7-21.1.al7
	运行在以下环境
	系统	alpine_3.11	zlib	*		Up to (excluding) 1.2.11-r4
	运行在以下环境
	系统	alpine_3.12	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.13	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.14	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.15	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.16	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.17	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_3.18	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	alpine_edge	zlib	*		Up to (excluding) 1.2.12-r2
	运行在以下环境
	系统	amazon_2	zlib	*		Up to (excluding) 3.1.2-11.amzn2.0.2
	运行在以下环境
	系统	amazon_2022	zlib	*		Up to (excluding) 3.2.6-1.amzn2022.0.1
	运行在以下环境
	系统	amazon_2023	zlib	*		Up to (excluding) 3.2.6-1.amzn2023.0.3
	运行在以下环境
	系统	amazon_AMI	zlib	*		Up to (excluding) 1.2.8-7.20.amzn1
	运行在以下环境
	系统	anolis_os_7	minizip	*		Up to (excluding) 1.2.7-21
	运行在以下环境
	系统	anolis_os_8	zlib	*		Up to (excluding) 1.2.11-19.0.1
	运行在以下环境
	系统	centos_7	minizip	*		Up to (excluding) 1.2.7-21.el7_9
	运行在以下环境
	系统	centos_8	zlib-debuginfo	*		Up to (excluding) 3.1.3-19.el8
	运行在以下环境
	系统	debian_10	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-1+deb10u2
	运行在以下环境
	系统	debian_11	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-2+deb11u2
	运行在以下环境
	系统	debian_12	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-4.1
	运行在以下环境
	系统	debian_sid	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-4.1
	运行在以下环境
	系统	fedora_35	rsync-debugsource	*		Up to (excluding) 1.2.11-32.fc35
	运行在以下环境
	系统	fedora_36	rsync-debugsource	*		Up to (excluding) 1.2.11-33.fc36
	运行在以下环境
	系统	fedora_37	zlib-debuginfo	*		Up to (excluding) 1.2.12-5.fc37
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	rsync	*		Up to (excluding) 1.2.11-20.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	rsync	*		Up to (excluding) 1.2.11-20.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	rsync	*		Up to (excluding) 1.2.11-20.a.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	mariadb-connector-c	*		Up to (excluding) 3.0.6-9.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	rsync	*		Up to (excluding) 1.2.11-20.ky10
	运行在以下环境
系统	kylinos_x86_64_V10SP2	rsync	*		Up to (excluding) 1.2.11-20.ky10
运行在以下环境
系统	opensuse_5.2	libz1	*		Up to (excluding) 1.2.11-150000.3.33.1
运行在以下环境
系统	opensuse_Leap_15.3	libminizip1	*		Up to (excluding) 1.2.11-150000.3.33.1
运行在以下环境
系统	opensuse_Leap_15.4	libminizip1	*		Up to (excluding) 1.2.11-150000.3.33.1
运行在以下环境
系统	oracle_6	oraclelinux-release	*		Up to (excluding) 1.2.3-29.0.3.el6
运行在以下环境
系统	oracle_7	oraclelinux-release	*		Up to (excluding) 1.2.7-20.0.1.el7_9
运行在以下环境
系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.2.11-19.el8_6
运行在以下环境
系统	oracle_9	oraclelinux-release	*		Up to (excluding) 1.2.11-32.el9_0
运行在以下环境
系统	redhat_7	zlib-debuginfo	*		Up to (excluding) 1.2.7-21.el7_9
运行在以下环境
系统	redhat_8	zlib-debuginfo	*		Up to (excluding) 3.1.3-19.el8
运行在以下环境
系统	redhat_9	rsync-daemon	*		Up to (excluding) 1.2.11-32.el9_0
运行在以下环境
系统	suse_12_SP5	zlib-devel	*		Up to (excluding) 1.2.11-11.22.1
运行在以下环境
系统	ubuntu_18.04	zlib	*		Up to (excluding) 3.1.2-2.1ubuntu1.5
运行在以下环境
系统	ubuntu_20.04	zlib	*		Up to (excluding) 3.1.3-8ubuntu0.4
运行在以下环境
系统	ubuntu_22.04	zlib	*		Up to (excluding) 1:1.2.11.dfsg-2ubuntu9.2
运行在以下环境
系统	unionos_a	zlib	*		Up to (excluding) rsync-3.1.3-19.uelc20
运行在以下环境
系统	unionos_d	zlib	*		Up to (excluding) 1:1.2.12.5-1+dde
运行在以下环境
系统	unionos_e	mysql	*		Up to (excluding) mariadb-connector-c-3.0.6-9.uel20