CVE-2018-25032

Description

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.09%• Percentile: 25%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

Affected Systems

• apple•mac_os_x

  ≥ 10.15, < 10.15.7 | 10.15.7 | 10.15.7:security_update_2020 | 10.15.7:security_update_2020-001 | 10.15.7:security_update_2020-005 | 10.15.7:security_update_2020-007 | 10.15.7:security_update_2021-001 | 10.15.7:security_update_2021-002 | 10.15.7:security_update_2021-003 | 10.15.7:security_update_2021-006 | 10.15.7:security_update_2021-007 | 10.15.7:security_update_2021-008 | 10.15.7:security_update_2022-001 | 10.15.7:security_update_2022-002 | 10.15.7:security_update_2022-003

• Unknown•macOS

  ≥ 11.0, < 11.6.6 | ≥ 12.0.0, < 12.4

• azul•zulu

  6.45 | 7.52 | 8.60 | 11.54 | 13.46 | 15.38 | 17.32

• debian•debian_linux

  9.0 | 10.0 | 11.0

• fedoraproject•fedora

  34 | 35 | 36

• goto•gotoassist

  < 11.9.18

• mariadb•mariadb

  ≥ 10.3.0, < 10.3.36 | ≥ 10.4.0, < 10.4.26 | ≥ 10.5.0, < 10.5.17 | ≥ 10.6.0, < 10.6.9 | ≥ 10.7.0, < 10.7.5 | ≥ 10.8.0, < 10.8.4 | ≥ 10.9.0, < 10.9.2

• netapp•active_iq_unified_manager

  na

• netapp•e-series_santricity_os_controller

  ≥ 11.0.0, ≤ 11.70.2

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500s_firmware

  na

• netapp•h700s_firmware

  na

• netapp•hci_compute_node_firmware

  na

• netapp•management_services_for_element_software

  na

• netapp•oncommand_workflow_automation

  na

• netapp•ontap_select_deploy_administration_utility

  na

• nokogiri•nokogiri

  < 1.13.4

• python•python

  ≥ 3.7.0, < 3.7.14 | ≥ 3.8.0, < 3.8.14 | ≥ 3.9.0, < 3.9.13 | ≥ 3.10.0, < 3.10.5

• siemens•scalance_sc622-2c_firmware

  < 3.0

• siemens•scalance sc626-2c

  < 3.0

• siemens•scalance_sc632-2c_firmware

  < 3.0

• siemens•scalance_sc636-2c_firmware

  < 3.0

• siemens•scalance_sc642-2c_firmware

  < 3.0

• siemens•scalance_sc646-2c_firmware

  < 3.0

• zlib•zlib

  ≥ 1.2.2.2, < 1.2.12

References (29)

• https://www.openwall.com/lists/oss-security/2022/03/24/1
• https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
• http://www.openwall.com/lists/oss-security/2022/03/25/2
• http://www.openwall.com/lists/oss-security/2022/03/26/1
• https://www.debian.org/security/2022/dsa-5111
• https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.openwall.com/lists/oss-security/2022/03/28/3
• https://www.openwall.com/lists/oss-security/2022/03/28/1
• https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
• https://github.com/madler/zlib/issues/605
• https://support.apple.com/kb/HT213257
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213255
• https://security.netapp.com/advisory/ntap-20220526-0009/
• https://security.netapp.com/advisory/ntap-20220729-0004/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
• https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
• https://security.gentoo.org/glsa/202210-42
• https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf