4.0 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): LOW
- Availability impact (A): LOW
Memory corruption issues is Cloudflare zlib implementation
Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software. Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected.
References
- https://github.com/cloudflare/zlib product
- https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh vendor-advisory
- https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh vendor-advisory
- https://github.com/cloudflare/zlib product
- https://github.com/cloudflare/zlib x_transferred product
- https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh vendor-advisory x_transferred
- https://github.com/cloudflare/zlib product
- https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh vendor-advisory
- https://github.com/cloudflare/zlib x_transferred product
- https://github.com/cloudflare/zlib/security/advisories/GHSA-vww9-j87r-4cqh vendor-advisory x_transferred
Affected products
- <8352d10
Matching in nixpkgs
pkgs.lzlib
Data compression library providing in-memory LZMA compression and decompression functions, including integrity checking of the decompressed data
-
nixos-unstable -
- nixpkgs-unstable 1.15
pkgs.zlib-ng
Zlib data compression library for the next generation systems
-
nixos-unstable -
- nixpkgs-unstable 2.2.5
pkgs.guile-zlib
GNU Guile library providing bindings to zlib
-
nixos-unstable -
- nixpkgs-unstable 0.2.2
pkgs.guile-lzlib
GNU Guile library providing bindings to lzlib
-
nixos-unstable -
- nixpkgs-unstable 0.3.0
pkgs.gnatcoll-zlib
GNAT Components Collection - Bindings to C libraries
-
nixos-unstable -
- nixpkgs-unstable 25.0.0
pkgs.haskellPackages.zlib
Compression and decompression in the gzip and zlib formats
-
nixos-unstable -
- nixpkgs-unstable 0.7.1.0
pkgs.luaPackages.lua-zlib
Simple streaming interface to zlib for Lua.
-
nixos-unstable -
- nixpkgs-unstable 1.3-0
pkgs.php81Extensions.zlib
PHP upstream extension: zlib
-
nixos-unstable -
- nixpkgs-unstable 8.1.33
pkgs.php82Extensions.zlib
PHP upstream extension: zlib
-
nixos-unstable -
- nixpkgs-unstable 8.2.29
pkgs.php83Extensions.zlib
PHP upstream extension: zlib
-
nixos-unstable -
- nixpkgs-unstable 8.3.25
pkgs.php84Extensions.zlib
PHP upstream extension: zlib
-
nixos-unstable -
- nixpkgs-unstable 8.4.12
pkgs.haskellPackages.bzlib
Compression and decompression in the bzip2 format
-
nixos-unstable -
- nixpkgs-unstable 0.5.2.0
pkgs.haskellPackages.lzlib
lzlib bindings
-
nixos-unstable -
- nixpkgs-unstable 1.0.7.4
pkgs.lua51Packages.lua-zlib
Simple streaming interface to zlib for Lua.
-
nixos-unstable -
- nixpkgs-unstable 1.3-0
pkgs.lua52Packages.lua-zlib
Simple streaming interface to zlib for Lua.
-
nixos-unstable -
- nixpkgs-unstable 1.3-0
pkgs.lua53Packages.lua-zlib
Simple streaming interface to zlib for Lua.
-
nixos-unstable -
- nixpkgs-unstable 1.3-0
pkgs.luajitPackages.lua-zlib
Simple streaming interface to zlib for Lua.
-
nixos-unstable -
- nixpkgs-unstable 1.3-0
pkgs.luaPackages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.haskellPackages.zlib-clib
zlib C library bits
-
nixos-unstable -
- nixpkgs-unstable 1.3.1
pkgs.python312Packages.zlib-ng
Drop-in replacement for Python's zlib and gzip modules using zlib-ng
-
nixos-unstable -
- nixpkgs-unstable 0.5.1
pkgs.python313Packages.zlib-ng
Drop-in replacement for Python's zlib and gzip modules using zlib-ng
-
nixos-unstable -
- nixpkgs-unstable 0.5.1
pkgs.haskellPackages.pipes-zlib
Zlib and GZip compression and decompression for Pipes streams
-
nixos-unstable -
- nixpkgs-unstable 0.4.4.2
pkgs.haskellPackages.zlib-bytes
zlib compression bindings
-
nixos-unstable -
- nixpkgs-unstable 0.1.0.2
pkgs.lua51Packages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.lua52Packages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.lua53Packages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.lua54Packages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.luajitPackages.lua-ffi-zlib
A Lua module using LuaJIT's FFI feature to access zlib.
-
nixos-unstable -
- nixpkgs-unstable 0.6-0
pkgs.gnat14Packages.gnatcoll-zlib
GNAT Components Collection - Bindings to C libraries
-
nixos-unstable -
- nixpkgs-unstable 25.0.0
pkgs.gnat15Packages.gnatcoll-zlib
GNAT Components Collection - Bindings to C libraries
-
nixos-unstable -
- nixpkgs-unstable 25.0.0
pkgs.haskellPackages.zlib-conduit
Streaming compression/decompression via conduits. (deprecated)
-
nixos-unstable -
- nixpkgs-unstable 1.1.0
pkgs.haskellPackages.bzlib-conduit
Streaming compression/decompression via conduits
-
nixos-unstable -
- nixpkgs-unstable 0.3.0.4
pkgs.haskellPackages.zlib-bindings
Low-level bindings to the zlib package
-
nixos-unstable -
- nixpkgs-unstable 0.1.1.5
pkgs.chickenPackages_5.chickenEggs.zlib
Bindings for zlib
-
nixos-unstable -
- nixpkgs-unstable 0.7.0
pkgs.python312Packages.aiohttp-fast-zlib
Use the fastest installed zlib compatible library with aiohttp
-
nixos-unstable -
- nixpkgs-unstable 0.3.0
pkgs.python313Packages.aiohttp-fast-zlib
Use the fastest installed zlib compatible library with aiohttp
-
nixos-unstable -
- nixpkgs-unstable 0.3.0
pkgs.tests.testers.hasPkgConfigModules.zlib-has-zlib
Test whether zlib-1.3.1 exposes pkg-config modules zlib
Package maintainers
-
@sternenseemann Lukas Epple <sternenseemann@systemli.org>
-
@foo-dogsquared Gabriel Arazas <foodogsquared@foodogsquared.one>
-
@k0ral Koral <koral@mailoo.org>
-
@piotrkwiecinski Piotr Kwiecinski <piokwiecinski+nixpkgs@gmail.com>
-
@talyz Kim Lindberger <kim.lindberger@gmail.com>
-
@Ma27 Maximilian Bosch <maximilian@mbosch.me>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@Izorkin Yurii Izorkin <Izorkin@gmail.com>