[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

chluo at cse dot cuhk.edu.hk via Gcc-bugs Wed, 05 Apr 2023 22:36:44 -0700

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109428


chluo at cse dot cuhk.edu.hk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|DUPLICATE                   |---
             Status|RESOLVED                    |UNCONFIRMED

--- Comment #2 from chluo at cse dot cuhk.edu.hk ---
Thank you for your quick update! The commit might just list one approach to
exploit the bug in **inflate()** function. I am not sure if there are other
ways to reach there but the buggy code is definitely a hazard. 
Anyway, it is good to align with the patched version of upstream code zlib. It
would not take effort since the patch is very easy to apply and verify.

[Bug lto/109428] GCC did not fix CVE-2022-37434, a heap overflow bug introduced by its dependency zlib code.

Reply via email to