[Bug lto/109428] New: GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[Bug lto/109428] New: GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[chluo at cse dot cuhk.edu.hk]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

            Bug ID: 109428
           Summary: GCC did not fix CVE-2022-37434, a heap overflow bug
                    introduced by its dependency zlib code.
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: lto
          Assignee: unassigned at gcc dot gnu.org
          Reporter: chluo at cse dot cuhk.edu.hk
                CC: marxin at gcc dot gnu.org
  Target Milestone: ---

GCC reused zlib 1.2.11. A heap overflow vulnerability
(https://github.com/madler/zlib/issues/723) was recently found in zlib through
version 1.2.12 and was patched in the latest version of zlib in
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1.
The patch basically inserted an additional check at the if condition and does
not influence any functionalities.

We found that in the current version of GCC
(0f816116356fec32e3a3a2fb5af790a0438c5da4), the simple patch has still not been
propagated yet. Since the vulnerability in zlib also impacts GCC and it is
publically known for a while, we believe GCC should apply the patch ASAP.

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Dup.

*** This bug has been marked as a duplicate of bug 105404 ***

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[chluo at cse dot cuhk.edu.hk]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

chluo at cse dot cuhk.edu.hk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|DUPLICATE                   |---
             Status|RESOLVED                    |UNCONFIRMED

--- Comment #2 from chluo at cse dot cuhk.edu.hk ---
Thank you for your quick update! The commit might just list one approach to
exploit the bug in **inflate()** function. I am not sure if there are other
ways to reach there but the buggy code is definitely a hazard. 
Anyway, it is good to align with the patched version of upstream code zlib. It
would not take effort since the patch is very easy to apply and verify.

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |DUPLICATE
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Still a dup of bug 105404 because we have not updated the sources yet for
either CVEs.

*** This bug has been marked as a duplicate of bug 105404 ***

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to chluo from comment #2)
> Thank you for your quick update! The commit might just list one approach to
> exploit the bug in **inflate()** function. I am not sure if there are other
> ways to reach there but the buggy code is definitely a hazard. 
> Anyway, it is good to align with the patched version of upstream code zlib.
> It would not take effort since the patch is very easy to apply and verify.

Also the only way hit the bug is if state->head is non-null. the only place
which sets state->head to non-null is in inflateGetHeader since state is an
opaque object outside of zlib even. So if someone modifies the state from
outside of zlib, then there might be other issues.

Anyways GCC does not modify state either nor calls inflateGetHeader so it would
not hit this bug.

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[chluo at cse dot cuhk.edu.hk]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

--- Comment #5 from chluo at cse dot cuhk.edu.hk ---
OK, also thanks for the kind explanations!

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428

Xi Ruoyao <xry111 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |xry111 at gcc dot gnu.org

--- Comment #6 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
FWIW use --with-system-zlib when you configure GCC if you want to use zlib
installed on the system instead of the shipped copy.