-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2022-37434 zlib vulnerability #824
Comments
Hi @s1gkill, thanks for letting us know. As far as I understand from the description, Node is probably not affected.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 Also I checked the linked "patch" reference. And there the developers write this:
madler/zlib@eff308a#commitcomment-80706024
madler/zlib@eff308a#commitcomment-80753451 So me it looks like the CPE entry is not correct and the CVE entry itself is also not valid. I will ask MITRE and the developers for clarification. |
If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded.
It was also referred by: nodejs/nodejs-dependency-vuln-assessments#50. I'll take a look on that to create an assessment |
Thanks for a quick reply! Hmm... I interpreted the comments as if they're talking about a bug that was introduced by the actual CVE vulnerability fix (so the 2 commits in zlib develop branch which has not yet been released). I also saw the commits being patched to other projects in here: curl/curl#9271, hence thought they must be important. The original issue for myself is that this vulnerability is considered Critical by a security scanner. |
Things are getting a bit clearer now in the discussion.
|
We'll need to wait for the fork update as well. We don't use |
Understood. Linking the relevant lines that will need the changes: https://github.com/nodejs/node/blob/main/deps/zlib/inflate.c#L762-L764 |
@RafaelGSS @DanielRuf There was an update to https://chromium.googlesource.com/chromium/src/third_party/zlib today. Is this fixing the issue ? |
It should. We're working to update the zlib on Node.js any time soon. Feel free to help on nodejs/node#44254. |
If node.js doesn't use |
Yes, it probably won't affect Node.js itself, but anyway it's good to have it updated. |
Sure, so long as no one is panicking and thinking "OMG, I need to get this updated right now!" |
Absolutely. I'll just confirm that it doesn't affect Node.js and then close this issue. |
@RafaelGSS thanks if you can confirm one way or the other we can then tag the issue in https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues as to whether it affects node.js or not. |
@madler thanks for the suggestion, I should have thought of checking that earlier :) |
Sorry for the delay. Node.js doesn't use the |
@madler has done the new build, the 1.2.13 has been released with the CVE-2022-37434 fix. |
@RafaelGSS did you talk to @facutuesca about helping with doing a zlib update? Seems like a good time to make sure we can now that a patch is available. |
Yes, I did. He will be available to do that after Oct 24. |
I saw that the PR (nodejs/node#44412) for updating zlib was fixed and now passes CI. Is there anything else needed to merge? |
We're waiting for the Benchmark CI |
Hello,
searching through the web for this vulnerability about Node + zlib, I decided to post an issue here inspired by this.
As discussed in issue mentioned above, NodeJS relies on Chromium's zlib implementation and Chromium maintainers have been applying software patches proactively. Looking both the Chromium source and NodeJS source the fix(es) applied by the zlib maintainer has not been patched yet.
Just wanted to bring this into your attention and hope to get some clarification on how would these normally be resolved?
Many thanks in advance!
The text was updated successfully, but these errors were encountered: