CVE-2022-37434 zlib vulnerability

[s1gkill]

Hello,

searching through the web for this vulnerability about Node + zlib, I decided to post an issue here inspired by this.

As discussed in issue mentioned above, NodeJS relies on Chromium's zlib implementation and Chromium maintainers have been applying software patches proactively. Looking both the Chromium source and NodeJS source the fix(es) applied by the zlib maintainer has not been patched yet.

Just wanted to bring this into your attention and hope to get some clarification on how would these normally be resolved?

Many thanks in advance!

[DanielRuf]

Hi @s1gkill,

thanks for letting us know.

As far as I understand from the description, Node is probably not affected.
Can you confirm this?

Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434
https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Also I checked the linked "patch" reference. And there the developers write this:

Hi, @madler was this CVE introduced in the zlib-1.2.12 version, or this CVE affects the older 1.2.11 version as well?

madler/zlib@eff308a#commitcomment-80706024

Neither. This bug is not present in any released version of zlib. It was introduced two commits ago on the develop branch of zlib. (Is it standard practice to issue CVEs for unreleased code?)

madler/zlib@eff308a#commitcomment-80753451

So me it looks like the CPE entry is not correct and the CVE entry itself is also not valid. I will ask MITRE and the developers for clarification.

[RafaelGSS]

It was also referred by: nodejs/nodejs-dependency-vuln-assessments#50. I'll take a look on that to create an assessment

[s1gkill]

As far as I understand from the description, Node is probably not affected. Can you confirm this?

Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37434 https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Also I checked the linked "patch" reference. And there the developers write this:

Hi, @madler was this CVE introduced in the zlib-1.2.12 version, or this CVE affects the older 1.2.11 version as well?

madler/zlib@eff308a#commitcomment-80706024

Neither. This bug is not present in any released version of zlib. It was introduced two commits ago on the develop branch of zlib. (Is it standard practice to issue CVEs for unreleased code?)

madler/zlib@eff308a#commitcomment-80753451

Thanks for a quick reply!

Hmm... I interpreted the comments as if they're talking about a bug that was introduced by the actual CVE vulnerability fix (so the 2 commits in zlib develop branch which has not yet been released). I also saw the commits being patched to other projects in here: curl/curl#9271, hence thought they must be important.

The original issue for myself is that this vulnerability is considered Critical by a security scanner.

[DanielRuf]

Things are getting a bit clearer now in the discussion.

• the CVE is valid and probably affects all releases from (including) 1.2.2.1 (was released in 2004 according to the changelogs and public repositories)
• there seems to have been some confusion ("Is it standard practice to issue CVEs for unreleased code?") around CVEs
• there is no new official release yet (Please make new release madler/zlib#686, compare https://github.com/madler/zlib/tree/develop to https://github.com/madler/zlib/tree/master)
• we will need two patches:
  • https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.patch (to fix the CVE, causes segfault)
  • https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d.patch (fixes the new segfault)

[RafaelGSS]

We'll need to wait for the fork update as well. We don't use madler/zlib directly. Instead, we use the https://chromium.googlesource.com/chromium/src/third_party/zlib version.

[DanielRuf]

We'll need to wait for the fork update as well. We don't use madler/zlib directly. Instead, we use the https://chromium.googlesource.com/chromium/src/third_party/zlib version.

Understood. Linking the relevant lines that will need the changes: https://github.com/nodejs/node/blob/main/deps/zlib/inflate.c#L762-L764

[AxxlFoley]

@RafaelGSS @DanielRuf There was an update to https://chromium.googlesource.com/chromium/src/third_party/zlib today. Is this fixing the issue ?

[RafaelGSS]

@RafaelGSS @DanielRuf There was an update to https://chromium.googlesource.com/chromium/src/third_party/zlib today. Is this fixing the issue ?

It should. We're working to update the zlib on Node.js any time soon. Feel free to help on nodejs/node#44254.

[madler]

If node.js doesn't use inflateGetHeader(), then this is a fool's errand. It probably does not, since there is nothing in the node.js zlib interface that would require its use. All you need to do is search the node.js source code for that name.

[RafaelGSS]

Yes, it probably won't affect Node.js itself, but anyway it's good to have it updated.

[madler]

Sure, so long as no one is panicking and thinking "OMG, I need to get this updated right now!"

[RafaelGSS]

Absolutely. I'll just confirm that it doesn't affect Node.js and then close this issue.