[ubuntu-hardened] CVEs in vendored zlib in klibc on focal (and later)

Paulo Flabiano Smorigo pfsmorigo at canonical.com
Fri Apr 12 15:18:53 UTC 2024 

Hello Mike,

Sorry for taking so long to respond. I've retriaged the CVEs you
mentioned and agree that klibc has zlib code vendored on it. I changed
the status in our tracker and added klibc as a dependency of it, so all
future CVEs that are for zlib will also add klibc as a possible affected
package.

For those 6 CVEs on your list, two (CVE-2016-9843 and CVE-2023-45853)
are not affecting klibc, as the code is not present. For the remaining
4, I have a colleague handling the backport, and a new version of klibc
will be released soon.

Thanks for reporting this.

-- 
Paulo Flabiano Smorigo


Fri, Mar 22, 2024 at 12:15:35AM +0000, Mike McCracken (mikmccra) wrote:
> Hi, a scanner recently flagged the following cves in the version of zlib that is vendored in klibc on focal:
> 
> CVE-2022-37434	
> CVE-2023-45853	
> CVE-2016-9841	
> CVE-2016-9843	
> CVE-2018-25032	
> CVE-2016-9840	
> 
> We have klibc 2.0.7-1ubuntu5.1 from focal-security, and here is the zlib from 2.0.7:
> https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/klibc/zlib/README?h=klibc-2.0.7#n3
> 
> While I see some klibc specific CVE fixes in the ubuntu changelog for 2.0.7-1ubuntu5.1, I don't see these zlib specific ones being addressed.
> 
> It also doesn't look like they are addressed in later ubuntu versions of klibc either.
> 
> 
> Am I not seeing something here or is this just a miss?
> 
> Thanks!
> -mike
> 
> Related:
> - there's also a bug about klibc's embedded gzip from a while back: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762
> - a similar list of zlib CVEs was addressed in rsync - rsync version 3.1.3-8ubuntu0.7 has an old version of zlib (1.2.8) vendored but has patches for these CVEs (give or take a couple).
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20240412/218912cf/attachment.sig>

More information about the ubuntu-hardened mailing list