Bug 1013882 – VUL-0: CVE-2016-9843: zlib: Big-endian out-of-bounds pointer

Bug 1013882 - (CVE-2016-9843) VUL-0: CVE-2016-9843: zlib: Big-endian out-of-bounds pointer

(CVE-2016-9843)
Summary:	VUL-0: CVE-2016-9843: zlib: Big-endian out-of-bounds pointer

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/177159/
Whiteboard:	CVSSv2:SUSE:CVE-2016-9843:4.6:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-12-06 10:52 UTC by Marcus Meissner
Modified:	2019-11-12 16:40 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-12-06 10:52:05 UTC

CVE-2016-9843


Finding 5: Big-endian out-of-bounds pointer (Low)

Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

Use CVE-2016-9843.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9843
http://seclists.org/oss-sec/2016/q4/602

Comment 1 Swamp Workflow Management 2016-12-06 23:00:33 UTC

bugbot adjusting priority

Comment 2 Tomáš Chvátal 2016-12-12 10:55:51 UTC

This is duplicate of bnc#1003580 from my PoV with just added CVE number.

Comment 3 Tomáš Chvátal 2016-12-12 10:58:17 UTC

Should I update the submissions with adding just the CVE number or is something else missing?

Comment 4 Marcus Meissner 2016-12-12 12:02:44 UTC

not aware of anythng else missing, so just resubmit with CVEs

Comment 5 Marcus Meissner 2016-12-12 12:05:47 UTC

hmm, see the other bug.

the big endian fix is this:
https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

Comment 6 Tomáš Chvátal 2016-12-12 12:35:30 UTC

Patches updated, changelog refreshed.

Comment 7 Bernhard Wiedemann 2016-12-12 13:04:14 UTC

This is an autogenerated message for OBS integration:
This bug (1013882) was mentioned in
https://build.opensuse.org/request/show/445412 Factory / zlib
https://build.opensuse.org/request/show/445413 13.2 / zlib

Comment 9 Swamp Workflow Management 2016-12-20 20:09:35 UTC

openSUSE-SU-2016:3202-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE 13.2 (src):    zlib-1.2.8-5.8.1

Comment 10 Swamp Workflow Management 2016-12-21 19:08:01 UTC

SUSE-SU-2016:3209-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    zlib-1.2.7-0.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    zlib-1.2.7-0.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zlib-1.2.7-0.14.1

Comment 11 Swamp Workflow Management 2017-01-02 11:09:49 UTC

SUSE-SU-2017:0003-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Server 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    zlib-1.2.8-11.1

Comment 12 Swamp Workflow Management 2017-01-02 11:10:40 UTC

SUSE-SU-2017:0004-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    zlib-1.2.8-6.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    zlib-1.2.8-6.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    zlib-1.2.8-6.3.1

Comment 13 Swamp Workflow Management 2017-01-08 00:20:30 UTC

openSUSE-SU-2017:0077-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE Leap 42.1 (src):    zlib-1.2.8-8.1

Comment 14 Swamp Workflow Management 2017-01-08 00:21:42 UTC

openSUSE-SU-2017:0080-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE Leap 42.2 (src):    zlib-1.2.8-10.1

Comment 15 Marcus Meissner 2017-10-25 20:01:48 UTC

released

Comment 16 Swamp Workflow Management 2018-06-26 13:09:22 UTC

SUSE-SU-2018:1815-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882,1095016,912771,920442
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Studio Onsite 1.3 (src):    zlib-1.2.7-0.135.3.1

Comment 17 Kristyna Streitova 2018-10-23 11:25:32 UTC

It was addressed within the latest Oracle Critical Patch Update Advisory for MySQL - October 2018 (in bundled zlib library). We use system zlib library so this is just for the reference completeness. Submitted for mysql in SLE11SP3 via mr#175477.

Comment 18 Swamp Workflow Management 2018-10-23 11:40:06 UTC

This is an autogenerated message for OBS integration:
This bug (1013882) was mentioned in
https://build.opensuse.org/request/show/643927 42.3 / mysql-community-server

Comment 20 Swamp Workflow Management 2018-10-25 22:18:21 UTC

openSUSE-SU-2018:3478-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 1013882,1112368,1112369,1112390,1112393,1112397,1112398,1112417,1112421,1112432
CVE References: CVE-2016-9843,CVE-2018-3133,CVE-2018-3143,CVE-2018-3156,CVE-2018-3174,CVE-2018-3247,CVE-2018-3251,CVE-2018-3276,CVE-2018-3278,CVE-2018-3282
Sources used:
openSUSE Leap 42.3 (src):    mysql-community-server-5.6.42-42.1

Comment 21 Swamp Workflow Management 2018-10-29 11:11:48 UTC

SUSE-SU-2018:3542-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1013882,1112368,1112369,1112432
CVE References: CVE-2016-9843,CVE-2018-3133,CVE-2018-3174,CVE-2018-3282
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    mysql-5.5.62-0.39.18.1
SUSE Linux Enterprise Server 11-SP4 (src):    mysql-5.5.62-0.39.18.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    mysql-5.5.62-0.39.18.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    mysql-5.5.62-0.39.18.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    mysql-5.5.62-0.39.18.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    mysql-5.5.62-0.39.18.1

Comment 24 Swamp Workflow Management 2018-12-04 20:08:55 UTC

SUSE-SU-2018:3972-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1013882,1101676,1101677,1101678,1103342,1112368,1112397,1112417,1112421,1112432,1116686
CVE References: CVE-2016-9843,CVE-2018-3058,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3174,CVE-2018-3251,CVE-2018-3282
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    mariadb-10.0.37-20.49.2

Comment 27 Swamp Workflow Management 2018-12-21 02:10:42 UTC

SUSE-SU-2018:4211-1: An update that solves 10 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013882,1101676,1101677,1101678,1103342,1112368,1112397,1112417,1112421,1112432,1116686,1118754
CVE References: CVE-2016-9843,CVE-2018-3058,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3174,CVE-2018-3251,CVE-2018-3282
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    mariadb-100-10.0.37-2.3.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    mariadb-100-10.0.37-2.3.1
SUSE Linux Enterprise Server 12-SP4 (src):    mariadb-100-10.0.37-2.3.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    mariadb-100-10.0.37-2.3.1

Comment 29 Swamp Workflow Management 2019-01-18 14:09:13 UTC

SUSE-SU-2019:0119-1: An update that solves 12 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1013882,1111858,1111859,1112368,1112377,1112384,1112386,1112391,1112397,1112404,1112415,1112417,1112421,1112432,1116686,1118754,1120041
CVE References: CVE-2016-9843,CVE-2018-3143,CVE-2018-3156,CVE-2018-3162,CVE-2018-3173,CVE-2018-3174,CVE-2018-3185,CVE-2018-3200,CVE-2018-3251,CVE-2018-3277,CVE-2018-3282,CVE-2018-3284
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    mariadb-10.2.21-3.7.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    mariadb-10.2.21-3.7.1

Comment 35 Swamp Workflow Management 2019-03-06 14:11:56 UTC

SUSE-SU-2019:0555-1: An update that solves 19 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1013882,1101676,1101677,1101678,1103342,1111858,1111859,1112368,1112377,1112384,1112386,1112391,1112397,1112404,1112415,1112417,1112421,1112432,1112767,1116686,1118754,1120041,1122198,1122475,1127027
CVE References: CVE-2016-9843,CVE-2018-3058,CVE-2018-3060,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3162,CVE-2018-3173,CVE-2018-3174,CVE-2018-3185,CVE-2018-3200,CVE-2018-3251,CVE-2018-3277,CVE-2018-3282,CVE-2018-3284,CVE-2019-2510,CVE-2019-2537
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    mariadb-10.2.22-3.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    mariadb-10.2.22-3.14.1

Comment 36 Swamp Workflow Management 2019-03-13 23:10:25 UTC

openSUSE-SU-2019:0327-1: An update that solves 19 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1013882,1101676,1101677,1101678,1103342,1111858,1111859,1112368,1112377,1112384,1112386,1112391,1112397,1112404,1112415,1112417,1112421,1112432,1112767,1116686,1118754,1120041,1122198,1122475,1127027
CVE References: CVE-2016-9843,CVE-2018-3058,CVE-2018-3060,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3162,CVE-2018-3173,CVE-2018-3174,CVE-2018-3185,CVE-2018-3200,CVE-2018-3251,CVE-2018-3277,CVE-2018-3282,CVE-2018-3284,CVE-2019-2510,CVE-2019-2537
Sources used:
openSUSE Leap 15.0 (src):    mariadb-10.2.22-lp150.2.9.1

Comment 38 Swamp Workflow Management 2019-06-06 22:10:49 UTC

SUSE-SU-2019:1441-1: An update that solves 24 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013882,1064113,1064114,1072167,1101676,1101677,1101678,1103342,1112368,1112377,1112384,1112386,1112391,1112397,1112404,1112415,1112417,1112421,1112432,1112767,1116686,1118754,1120041,1122198,1122475,1127027
CVE References: CVE-2016-9843,CVE-2017-10320,CVE-2017-10365,CVE-2017-15365,CVE-2018-2759,CVE-2018-2777,CVE-2018-2786,CVE-2018-2810,CVE-2018-3058,CVE-2018-3060,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3162,CVE-2018-3173,CVE-2018-3174,CVE-2018-3185,CVE-2018-3200,CVE-2018-3251,CVE-2018-3277,CVE-2018-3282,CVE-2018-3284
Sources used:
SUSE OpenStack Cloud 7 (src):    mariadb-10.2.22-10.1, mariadb-connector-c-3.0.7-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 41 Swamp Workflow Management 2019-08-05 19:16:27 UTC

SUSE-SU-2019:2048-1: An update that solves 12 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1013882,1101676,1101677,1101678,1103342,1112368,1112397,1112417,1112421,1112432,1116686,1118754,1132666,1136037
CVE References: CVE-2016-9843,CVE-2018-3058,CVE-2018-3063,CVE-2018-3064,CVE-2018-3066,CVE-2018-3143,CVE-2018-3156,CVE-2018-3174,CVE-2018-3251,CVE-2018-3282,CVE-2019-2529,CVE-2019-2537
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    mariadb-10.0.38-29.27.3
SUSE OpenStack Cloud 8 (src):    mariadb-10.0.38-29.27.3
SUSE OpenStack Cloud 7 (src):    mariadb-10.0.38-29.27.3
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mariadb-10.0.38-29.27.3
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mariadb-10.0.38-29.27.3
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mariadb-10.0.38-29.27.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    mariadb-10.0.38-29.27.3
SUSE Enterprise Storage 4 (src):    mariadb-10.0.38-29.27.3
HPE Helion Openstack 8 (src):    mariadb-10.0.38-29.27.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 44 Swamp Workflow Management 2019-11-12 16:40:22 UTC

This is an autogenerated message for OBS integration:
This bug (1013882) was mentioned in
https://build.opensuse.org/request/show/747777 Backports:SLE-12 / zlib