madler
commented
7 months ago The code that was fixed does not exist in zlib's deflate.c. prev_length is never set to zero, and max_block_size is not present.
Closed ekomarova closed 7 months ago
madler
commented
7 months ago The code that was fixed does not exist in zlib's deflate.c. prev_length is never set to zero, and max_block_size is not present.
zjhua2002
commented
7 months ago @madler would you pls. kindly indicate this issue was fixed in which version?
madler
commented
7 months ago This vulnerability never existed in zlib.
BDBA scan detects the following vulnerability: CVE-2023-6992 in deflate.c.
I am not an expert in zlib code, but I just want to highlight that such a vulnerability exists and seems to have a fix here https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c in cloudflare version. Could you please take a look at this and analyze how much this vulnerability may affect users?
I also see that the upstream repo (this repo since cloudflare is a fork) are not affected, but it looks like there is similar code in deflate.c. that was fixed in the commit above, that's why I'm asking to take a look at this