Test 224 fails with CVE-2022-37434 patched zlib

[winterqt]

I did this

Using zlib v1.2.12 patched for CVE-2022-37434:

make test
# or...
cd tests
./runtests.pl 224

test 0224...[HTTP GET gzip compressed content with huge comment and extra field]

 224: data FAILED:
--- log/check-expected	2022-08-07 23:29:39.568010972 +0000
+++ log/check-generated	2022-08-07 23:29:39.568010972 +0000
@@ -1,9 +0,0 @@
-HTTP/1.1 200 OK[CR][LF]
-Date: Mon, 29 Nov 2004 21:56:53 GMT[CR][LF]
-Server: Apache/1.3.31 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.9-1 mod_ssl/2.8.20 OpenSSL/0.9.7d mod_perl/1.29[CR][LF]
-Vary: Accept-Encoding[CR][LF]
-Content-Type: text/html; charset=ISO-8859-1[CR][LF]
-Content-Encoding: gzip[CR][LF]
-Content-Length: 2186[CR][LF]
-[CR][LF]
-uncompressed gzip data with long gzip header[LF]

I've also seen this test failure accompanied by a segfault, but this only happens within a sandbox (which uses the Linux kernel's namespacing feature):

test 0224...core dumped
FAILED

I expected the following

For the test to succeed.

curl/libcurl version

7.84.0

operating system

Linux 5.15.43 #1-NixOS SMP Wed May 25 12:42:07 UTC 2022 aarch64 GNU/Linux

This very much could be a zlib issue since the patch in question hasn't made it into a release yet, but I'm going to leave this open just in case it's not; feel free to close.

[bagder]

I can reproduce the crash when madler/zlib@eff308a is present and I can confirm that this test case makes zlib:inflate() segfault.

Breakpoint 1, inflate_stream (data=0x55555573cb68, writer=0x55555577fd08, started=ZLIB_INIT_GZIP) at content_encoding.c:198
198         status = inflate(z, Z_BLOCK);
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7cedc7d in inflate () from /home/daniel/build-zlib/lib/libz.so.1
(gdb) 

[bagder]

This is a zlib issue.

[bagder]

Since this is a bug in zlib causing the crash and not in curl, I'm closing.

[madler]

Thanks for the report. Should be fixed in madler/zlib@1eb7682 .

[bagder]

@madler the current develop branch is confirmed to work fine for me with curl test 224 ✔️

[madler]

@bagder Excellent, thanks!

[winterqt]

@madler I and others have also confirmed that this fixes not only the curl issues, but other software as well. Thank you for the quick response!

[madler]

Thank you for the confirmations of the fix.

[jaymehta6]

Please provide runtests.pl file to run the exploit.

[jaymehta6]

I did this

Using zlib v1.2.12 patched for CVE-2022-37434:

make test
# or...
cd tests
./runtests.pl 224

test 0224...[HTTP GET gzip compressed content with huge comment and extra field]

 224: data FAILED:
--- log/check-expected	2022-08-07 23:29:39.568010972 +0000
+++ log/check-generated	2022-08-07 23:29:39.568010972 +0000
@@ -1,9 +0,0 @@
-HTTP/1.1 200 OK[CR][LF]
-Date: Mon, 29 Nov 2004 21:56:53 GMT[CR][LF]
-Server: Apache/1.3.31 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.9-1 mod_ssl/2.8.20 OpenSSL/0.9.7d mod_perl/1.29[CR][LF]
-Vary: Accept-Encoding[CR][LF]
-Content-Type: text/html; charset=ISO-8859-1[CR][LF]
-Content-Encoding: gzip[CR][LF]
-Content-Length: 2186[CR][LF]
-[CR][LF]
-uncompressed gzip data with long gzip header[LF]

I've also seen this test failure accompanied by a segfault, but this only happens within a sandbox (which uses the Linux kernel's namespacing feature):

test 0224...core dumped
FAILED

I expected the following

For the test to succeed.

curl/libcurl version

7.84.0

operating system

Linux 5.15.43 #1-NixOS SMP Wed May 25 12:42:07 UTC 2022 aarch64 GNU/Linux

This very much could be a zlib issue since the patch in question hasn't made it into a release yet, but I'm going to leave this open just in case it's not; feel free to close.

@winterqt ### Please provide runtests.pl file to run the exploit.

[bagder]

This crash happened using the regular curl test suite. The files are in the git repository.

But please, this issue is not a curl issue and it is closed.

[Neustradamus]

@madler has done the new build, the 1.2.13 has been released with the CVE-2022-37434 fix.