CVE-2016-9842

HIGH

zlib 1.2.8 - Info Disclosure

Title source: llm

Description

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

References (30)

[Broken Link] http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html

[Broken Link] http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html

[Broken Link] http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html

[Mailing List, Patch] http://www.openwall.com/lists/oss-security/2016/12/05/21

[Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

[Third Party Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95131

[Broken Link, Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039427

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1220

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1221

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1222

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2999

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3046

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3047

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:3453

[Issue Tracking, Patch] https://bugzilla.redhat.com/show_bug.cgi?id=1402348

[Patch] https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html

[Third Party Advisory] https://security.gentoo.org/glsa/201701-56

... and 10 more

Scores

CVSS v3 8.8

EPSS 0.1213

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-1335

Status draft

Affected Products (30)

zlib/zlib < 1.2.9

opensuse/leap

opensuse/opensuse

debian/debian_linux

canonical/ubuntu_linux

oracle/database_server

oracle/jdk

oracle/jre

oracle/mysql < 5.5.61

... and 15 more

Timeline

Published May 23, 2017

Tracked Since Feb 18, 2026