On 01/11/2022 15:46, Tuomo Soini wrote:
> On Tue, 1 Nov 2022 10:50:02 +0000
> Nick Howitt via epel-devel <epel-devel@lists.fedoraproject.org> wrote:
>
>> Yesterday, ClamAV announced CVE-2022-37434 as critical
>> (https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
>> Redhat only seem to classify the issue as Moderate in EL7 -
>> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
>> that, unless Redhat classify it as Critical, zlib and zlib-devel
>> won't get updated so ClamAV can't be rebuilt against the updated
>> zlib-devel. What is the EPEL take on the issue?
> Question was about update of bundled libraries which are not used by
> epel package.
>
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used
for building and, if I understand correctly, the CVE effectively means
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let
me know if I have misunderstood.
That means it is using the OS zlib to build things. If RHEL does not ship any update, then rebuilding it won't fix anything.
If you backport the fix to the shipped zlib source code and build it yourself, then if all goes well everything which was built against the original ABI will continue to work without recompiling