Page MenuHome GnuPG
Create Task
Maniphest T6184

zlib version 1.2.12 actually used by GnuPG / Gpg4Win suffers from CVE-2022-37434 / 2 patches are available
Closed, ResolvedPublic
Actions

Description

Hello,

the zlib version 1.2.12 actually used by GnuPG / Gpg4Win suffers from CVE-2022-37434:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=blob;f=packages/packages.common;hb=HEAD#l23

Since 20220808, there are 2 patches avaiable by Mark Adler:
https://github.com/madler/zlib/commit/eff308af42.patch
https://github.com/madler/zlib/commit/1eb7682f84.patch

Source: https://github.com/openwrt/openwrt/issues/10582

Maybe it's a good idea to merge them into the GnuPG / Gpg4Win build ...

Background-Info:

The commit:
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1

... fixed the CVE-2022-37434, but at the same time produced a "Segmentation-Fault", which in turn until now in the developer branch with the commit:
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

... has been fixed.

So far (status: 20220902) it hasn't made it into the master branch yet... maybe there will be a release soon... :-)

Here is the information about it:
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1#commitcomment-80801182

Best Regards,

Veit Berwig

Event Timeline

vitusb created this task.Sep 2 2022, 6:43 PM
vitusb created this object in space S1 Public.
vitusb added projects: gnupg, gpg4win.
werner reassigned this task from werner to ikloecker.Sep 3 2022, 1:21 PM
werner triaged this task as High priority.
werner edited projects, added kleopatra; removed gnupg.
werner added a subscriber: werner.

Thanks for mentioning this. I looked at the CVE last Sunday and figured that we are not affected. The vulnerable function inflateGetHeader is not used by GnuPG because we don;'t support the gzip format.

I am also not aware that Kleopatra supports the gzip format - however we should better double check that none of the KDE I/O handlers are affected.

ikloecker added a comment.Sep 3 2022, 5:07 PM

inflateGetHeader does not seem to be called by anything from KDE. The only hits are from a copy of zlib included in marble.
https://lxr.kde.org/search?%21v=kf5-qt5&_filestring=&_string=inflateGetHeader

werner closed this task as Resolved.Sep 3 2022, 8:48 PM
werner added a project: Not A Bug.