CVE-2018-25032

NameCVE-2018-25032
Descriptionzlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2968-1, DLA-2993-1, DSA-5111-1, ELA-590-1
Debian Bugs1008265

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libz-mingw-w64 (PTS)stretch (security), stretch (lts), stretch1.2.11+dfsg-1+deb9u1fixed
buster, bullseye1.2.11+dfsg-2vulnerable
bookworm1.2.13+dfsg-1fixed
sid, trixie1.3.1+dfsg-1fixed
zlib (PTS)jessie, jessie (lts)1:1.2.8.dfsg-2+deb8u3fixed
stretch (security)1:1.2.8.dfsg-5+deb9u1fixed
stretch (lts), stretch1:1.2.8.dfsg-5+deb9u2fixed
buster (security), buster, buster (lts)1:1.2.11.dfsg-1+deb10u2fixed
bullseye (security), bullseye1:1.2.11.dfsg-2+deb11u2fixed
bookworm1:1.2.13.dfsg-1fixed
sid, trixie1:1.3.dfsg+really1.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libz-mingw-w64sourcestretch1.2.11+dfsg-1+deb9u1DLA-2993-1
libz-mingw-w64source(unstable)1.2.11+dfsg-5
zlibsourcejessie1:1.2.8.dfsg-2+deb8u2ELA-590-1
zlibsourcestretch1:1.2.8.dfsg-5+deb9u1DLA-2968-1
zlibsourcebuster1:1.2.11.dfsg-1+deb10u1DSA-5111-1
zlibsourcebullseye1:1.2.11.dfsg-2+deb11u1DSA-5111-1
zlibsource(unstable)1:1.2.11.dfsg-41008265

Notes

[bullseye] - libz-mingw-w64 <no-dsa> (Minor issue)
[buster] - libz-mingw-w64 <no-dsa> (Minor issue)
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://www.openwall.com/lists/oss-security/2022/03/24/1
Details: https://www.openwall.com/lists/oss-security/2022/03/26/1
https://www.openwall.com/lists/oss-security/2022/03/27/1
https://www.openwall.com/lists/oss-security/2022/03/28/1

Search for package or bug name: Reporting problems