CVE-2018-25032

NameCVE-2018-25032
Descriptionzlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2968-1, DLA-2993-1, DSA-5111-1
Debian Bugs1008265

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libz-mingw-w64 (PTS)buster, bullseye1.2.11+dfsg-2vulnerable
bookworm1.2.13+dfsg-1fixed
sid, trixie1.3+dfsg-1fixed
zlib (PTS)buster1:1.2.11.dfsg-1+deb10u1fixed
buster (security)1:1.2.11.dfsg-1+deb10u2fixed
bullseye (security), bullseye1:1.2.11.dfsg-2+deb11u2fixed
bookworm1:1.2.13.dfsg-1fixed
sid, trixie1:1.2.13.dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libz-mingw-w64sourcestretch1.2.11+dfsg-1+deb9u1DLA-2993-1
libz-mingw-w64source(unstable)1.2.11+dfsg-5
zlibsourcestretch1:1.2.8.dfsg-5+deb9u1DLA-2968-1
zlibsourcebuster1:1.2.11.dfsg-1+deb10u1DSA-5111-1
zlibsourcebullseye1:1.2.11.dfsg-2+deb11u1DSA-5111-1
zlibsource(unstable)1:1.2.11.dfsg-41008265

Notes

[bullseye] - libz-mingw-w64 <no-dsa> (Minor issue)
[buster] - libz-mingw-w64 <no-dsa> (Minor issue)
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://www.openwall.com/lists/oss-security/2022/03/24/1
Details: https://www.openwall.com/lists/oss-security/2022/03/26/1
https://www.openwall.com/lists/oss-security/2022/03/27/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
Search for package or bug name: Reporting problems