https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428
Bug ID: 109428
Summary: GCC did not fix CVE-2022-37434, a heap overflow bug
introduced by its dependency zlib code.
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: lto
Assignee: unassigned at gcc dot gnu.org
Reporter: chluo at cse dot cuhk.edu.hk
CC: marxin at gcc dot gnu.org
Target Milestone: ---
GCC reused zlib 1.2.11. A heap overflow vulnerability
(https://github.com/madler/zlib/issues/723) was recently found in zlib through
version 1.2.12 and was patched in the latest version of zlib in
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.
The patch basically inserted an additional check at the if condition and does
not influence any functionalities.
We found that in the current version of GCC
(0f816116356fec32e3a3a2fb5af790a0438c5da4), the simple patch has still not been
propagated yet. Since the vulnerability in zlib also impacts GCC and it is
publically known for a while, we believe GCC should apply the patch ASAP.
