CVE-2018-25032 (zlib memory corruption on deflate)

[vielmetti]

CVE-2018-25032 tracks a bug in zlib 1.2.11 which allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

There is a fix from @madler at 5c44459

@taviso reports at https://www.openwall.com/lists/oss-security/2022/03/24/1 that this patch never made it into a release, and at the time of writing no distros had picked it up as a fix.

[vielmetti]

PR to fix in nixpkgs from @twz123 NixOS/nixpkgs#165642

[vielmetti]

PR to fix in Alpine aports from @ncopa https://git.alpinelinux.org/aports/commit/?id=361df5902aa1e81594b17f06a13e10527dfb8aed and alpinelinux/aports@361df59

[ynezz]

Fixed in OpenWrt down to 19.07 release with openwrt/openwrt@b3aa290

[vielmetti]

Fixed in Debian, the relevant bug is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1008265 and the version with the fix is zlib/1:1.2.11.dfsg-4

[vielmetti]

Ubuntu has tracked this as https://ubuntu.com/security/CVE-2018-25032 and has a proposed patch which will bring the version to 1:1.2.11.dfsg-2ubuntu9, details are up to date at https://launchpad.net/ubuntu/+source/zlib . Ubuntu notes that "rsync" is also affected and is fixed in 3.1.3-6.

[vielmetti]

Fedora and Red Hat are tracking this bug at https://bugzilla.redhat.com/show_bug.cgi?id=2067945 and there is no "fixed in" version as of this writing. It's also marked as affecting the packages "mingw-zlib" and "rsync".

[briangreenery]

Do you know if the full fix requires both of these commits?

5c44459
4346a16

I only see the first commit referenced as related to the CVE, but the linked NixOS and Alpine issues are applying both commits. I'm not sure how they knew the second commit should also be applied.

[vielmetti]

@briangreenery It looks like this Ubuntu patch at https://launchpad.net/ubuntu/+source/zlib/1:1.2.11.dfsg-2ubuntu9 also picks up the deflatePrime() validation check you reference at 4346a16 .

[vielmetti]

@taviso posts a reproducer at https://www.openwall.com/lists/oss-security/2022/03/26/1 with a sample input file that triggers the bug when run against a minimal compressor that uses zlib.

[vielmetti]

In https://twitter.com/OpenBSD_src/status/1507325285665968130 there is a reference to a (forthcoming) errata for OpenBSD with the name "errata/7.0/018_zlib.patch.sig".

From the looks of it this hasn't been published just yet, but when it does I expect it to be at https://ftp.openbsd.org/pub/OpenBSD/patches/7.0/common/

The reference acknowledges mbuhl and millert of the OpenBSD project.

From the looks of it, @bluhm is also doing work for OpenBSD on zlib, see e.g.
openbsd/src@b1b1dcf
which references 38e8ce3
fixing the CLEAR_HASH macro.