Vulnerability scanners flagging zlib 1.2.12 CVE-2022-37434

[flavorjones]

Recently Canonical issued a patch to zlib as USN-5570-1 to address CVE-2022-37434.

Nokogiri's native gems for Linux, Darwin, and Windows all statically link against zlib, and so this issue exists to investigate whether Nokogiri users may be affected by the CVE.

[flavorjones]

The CVE description says:

NOTE: only applications that call inflateGetHeader are affected.
...
Apps are only vulnerable if they use inflateGetHeader() and call inflate() in a loop.

A quick look at how libxml2 uses zlib shows that inflateGetHeader is not called (see libxml2's xzlib.c). Based on that knowledge, the Nokogiri maintainers conclude that Nokogiri users aren't vulnerable because of the zlib packaged in the native gems.

[flavorjones]

We received a report that some vulnerability scanners are flagging Nokogiri due to the presence of zlib 1.2.12.

We'll release a patch version of Nokogiri with a newer zlib as soon as a newer version is available (as of 2022-08-18 1.2.12 is still the latest release).

[flavorjones]

I see that Canonical published USN-5570-2 today updating their distro to address this vulnerability.

I also see that zlib released v1.2.13 four days ago, which patches this vulnerability. The next patch release of Nokogiri will include this version.

[flavorjones]

v1.13.9 has been released with zlib 1.2.13.