[ubuntu-hardened] CVEs in vendored zlib in klibc on focal (and later)
Mike McCracken (mikmccra)
mikmccra at cisco.com
Fri Mar 22 00:15:35 UTC 2024
Hi, a scanner recently flagged the following cves in the version of zlib that is vendored in klibc on focal:
CVE-2022-37434
CVE-2023-45853
CVE-2016-9841
CVE-2016-9843
CVE-2018-25032
CVE-2016-9840
We have klibc 2.0.7-1ubuntu5.1 from focal-security, and here is the zlib from 2.0.7:
https://git.kernel.org/pub/scm/libs/klibc/klibc.git/tree/usr/klibc/zlib/README?h=klibc-2.0.7#n3
While I see some klibc specific CVE fixes in the ubuntu changelog for 2.0.7-1ubuntu5.1, I don't see these zlib specific ones being addressed.
It also doesn't look like they are addressed in later ubuntu versions of klibc either.
Am I not seeing something here or is this just a miss?
Thanks!
-mike
Related:
- there's also a bug about klibc's embedded gzip from a while back: https://bugs.launchpad.net/ubuntu/+source/klibc/+bug/1358762
- a similar list of zlib CVEs was addressed in rsync - rsync version 3.1.3-8ubuntu0.7 has an old version of zlib (1.2.8) vendored but has patches for these CVEs (give or take a couple).
More information about the ubuntu-hardened
mailing list