Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability scanners flagging zlib 1.2.12 CVE-2022-37434 #2626

Closed
flavorjones opened this issue Aug 18, 2022 · 4 comments
Closed

Vulnerability scanners flagging zlib 1.2.12 CVE-2022-37434 #2626

flavorjones opened this issue Aug 18, 2022 · 4 comments

Comments

@flavorjones
Copy link
Member

Recently Canonical issued a patch to zlib as USN-5570-1 to address CVE-2022-37434.

Nokogiri's native gems for Linux, Darwin, and Windows all statically link against zlib, and so this issue exists to investigate whether Nokogiri users may be affected by the CVE.

@flavorjones
Copy link
Member Author

The CVE description says:

NOTE: only applications that call inflateGetHeader are affected.
...
Apps are only vulnerable if they use inflateGetHeader() and call inflate() in a loop.

A quick look at how libxml2 uses zlib shows that inflateGetHeader is not called (see libxml2's xzlib.c). Based on that knowledge, the Nokogiri maintainers conclude that Nokogiri users aren't vulnerable because of the zlib packaged in the native gems.

@flavorjones
Copy link
Member Author

We received a report that some vulnerability scanners are flagging Nokogiri due to the presence of zlib 1.2.12.

We'll release a patch version of Nokogiri with a newer zlib as soon as a newer version is available (as of 2022-08-18 1.2.12 is still the latest release).

@flavorjones flavorjones changed the title Investigate impact of zlib CVE-2022-37434 Some vulnerability scanners are flagging zlib 1.2.12 for CVE-2022-37434 Aug 18, 2022
@flavorjones flavorjones pinned this issue Aug 18, 2022
@flavorjones flavorjones changed the title Some vulnerability scanners are flagging zlib 1.2.12 for CVE-2022-37434 Vulnerability scanners flagging zlib 1.2.12 CVE-2022-37434 Aug 18, 2022
@flavorjones
Copy link
Member Author

I see that Canonical published USN-5570-2 today updating their distro to address this vulnerability.

I also see that zlib released v1.2.13 four days ago, which patches this vulnerability. The next patch release of Nokogiri will include this version.

@flavorjones
Copy link
Member Author

v1.13.9 has been released with zlib 1.2.13.

@flavorjones flavorjones unpinned this issue May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant