On Thu, Aug 11, 2022 at 01:07:53PM -0700, enh wrote: > is there a CVE or PoC for the zlib bug? it seems like OpenBSD is the > only place where this has been fixed, and none of the various > upstreams/forks of zlib (of which there are far too many!) seem to > have this?
Details are here: https://marc.info/?l=oss-security&m=166000850502312&w=2 As mentioned in https://www.cve.org/CVERecord?id=CVE-2022-37434, this overflow is only reachable if a caller previously called inflateGetHeader() since otherwise state->head == Z_NULL. According to codesearch.debian.org, very few things actually call this, but it's exposed in various language bindings, so it seemed reasonable to fix this in -stable.
