中危 zlib缓冲区错误漏洞(CVE-2022-37434)

CVE编号

CVE-2022-37434

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-08-05
漏洞描述
zlib是美国Mark Adler个人开发者的一个通用的数据压缩库。
zlib 1.2.12版本存在缓冲区错误漏洞,该漏洞源于在inflate.c中通过一个大的gzip标头额外字段在inflate中具有基于堆的缓冲区过度读取或缓冲区溢出。
解决建议
目前厂商已发布升级补丁以修复漏洞,详情请关注厂商主页:

https://github.com/madler/zlib/
参考链接
http://seclists.org/fulldisclosure/2022/Oct/37
http://seclists.org/fulldisclosure/2022/Oct/38
http://seclists.org/fulldisclosure/2022/Oct/41
http://seclists.org/fulldisclosure/2022/Oct/42
http://www.openwall.com/lists/oss-security/2022/08/05/2
http://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/...
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/...
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedorapr...
https://security.netapp.com/advisory/ntap-20220901-0005/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://support.apple.com/kb/HT213488
https://support.apple.com/kb/HT213489
https://support.apple.com/kb/HT213490
https://support.apple.com/kb/HT213491
https://support.apple.com/kb/HT213493
https://support.apple.com/kb/HT213494
https://www.debian.org/security/2022/dsa-5218
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 zlib zlib * Up to
(including)
1.2.12
阿里云评分
6.2
  • 攻击路径
    远程
  • 攻击复杂度
    复杂
  • 权限要求
    无需权限
  • 影响范围
    全局影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-787 跨界内存写
阿里云安全产品覆盖情况