Severe Vulnerability in zlog 1.2.17

[faran1512]

We have found a severe vulnerability that can be exploited. We want you to patch the vulnerability before we disclose this publicly. We have emailed (HardySimpson1984@gmail.com) but no response has been made.
Contact us before we publicly disclose it.

Thanks

CC @alirazamumtaz

[alirazamumtaz]

Furthermore, we have reserved a CVE number with @CVEProject

[ptitvert]

I am not part of the project, but did you try your vulnerability on 1.2.17, which is the latest release?
From my own perspective to have such severe message on a severe vulnerability, it would make sense to check on the latest version and not one which was published nearly 2 years ago.

If yes, and your discovery is also valid for 1.2.17, then say so. It is like if you said, I have found a severe vulnerability on Windows 11 from 2 years ago. I would like to know about the current status, not the past.

It looks like for me, that the 1.2.17 is not impacted, but only 1.2.16.

But again, I am not part of the project, just a user of the library, which finds your ticket strange.

[alirazamumtaz]

Yes, the latest version (1.2.17) is also vulnerable.

[solardiz]

This is now also brought up in https://www.openwall.com/lists/oss-security/2024/02/28/2, and as oss-security moderator I'm going to ask for actual detail to be posted publicly soon, ideally along with a proposed patch, which I guess can also be sent via a pull request in here.

It appears that @HardySimpson is currently mostly inactive on GitHub and with the project - only one contribution in a year (on December 4), so it may not make sense to wait for a response much longer. Hopefully, someone else with the project is able to merge a PR and make a release? Please speak up.

[solardiz]

@deemar I see you were the one to merge recent PRs. Would you take care of this issue as well, please? Coordinate with @faran1512 and @alirazamumtaz on them sharing the actual vulnerability detail and proposed fix with the project, merge it, make a release.

The issue is now described on oss-security as "essentially a heap-based buffer overflow leading to denial of service and arbitrary code execution" and is CVE-2024-22857.

If the issue is in fact as described, I think it's reasonable to plan on having the fix merged within a week from now. Realistic?

[deemar]

@solardiz @faran1512
please give more details or push your PR and I will deal with it

[solardiz]

@deemar I don't have more details - @faran1512 and @alirazamumtaz say they do. I am merely helping them coordinate the disclosure. Would you like them to make this information public right away (such as in comments to this issue or in a PR), or should they communicate it to you privately first? Either way has its pros and cons, so this is up to you - please just state your preference. Thank you!

[deemar]

@solardiz Then I hope @faran1512 and @alirazamumtaz can give me some more detail.
No need of private communication. Make everything public please.

[alirazamumtaz]

Thank you @solardiz for your help in this disclosure. @deemar we have made a pull request #251 along with an intended patch. Let us know if you need more information. Thank you!

[faran1512]

The issue has been patched and thanks @solardiz and @deemar for coordination. I am now closing this issue now.