Bugzilla – Bug 1197459
VUL-0: CVE-2018-25032: zlib: memory corruption on deflate (i.e. compress)
Last modified: 2022-04-19 07:00:21 UTC
From osss public ML ------------------- Greetings list, I was recently trying to track down a reproducible crash in a compressor. Believe it or not, it really was a bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs. I reported it upstream, but it turns out the issue has been public since 2018, but the patch never made it into a release. As far as I know, nobody ever assigned it a CVE. https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 As far as I can tell, no distros have picked this up. Tavis.
The following packages seems to be affected: - SUSE:SLE-11-SP1:Update:Teradata/zlib 1.2.7 - SUSE:SLE-11-SP3:Update/zlib 1.2.7 - SUSE:SLE-12-SP2:Update/zlib 1.2.8 - SUSE:SLE-12-SP4:Update/zlib 1.2.11 - SUSE:SLE-12-SP5:Update/zlib 1.2.11 - SUSE:SLE-15:Update/zlib 1.2.11 - openSUSE:Factory/zlib 1.2.11
Hi Gianluca, I have sent the submission for SLE-12-SP5, SLE-15 and Factory. Should I fix any other codestream?
(In reply to Danilo Spinella from comment #2) > Hi Gianluca, I have sent the submission for SLE-12-SP5, SLE-15 and Factory. > Should I fix any other codestream? All the affected ones. Moreover, could you add the CVE ID to the changes file?
Created attachment 857414 [details] deflate.c From the ML ----------- I've made some progress working on the bug. I've got a nice clean repro for Z_FIXED strategy. To hit the bug, you need to force lots of worst-case (distance, length) pairs. Zlib keeps a rolling hash of every 3 bytes of input, then uses this to find previous matches and then see how long they are. Here is a good explainer: https://www.euccas.me/zlib/#zlib_hash_chain The longest possible back-reference is 31 bits, starting at (distance=16385, length=131). The trick I found to force those is to use a de Bruijn sequence with alphabet length cbrt(2^windowBits) and word length 3 (3 because that's MIN_MATCH in zlib). Now there is a match of arbitrary length at every single offset that can't be RLE'd away. So you generate one 2^windowsBits block of this sequence, then repeat the same sequence but shuffle the subwords (lyndon words? I might be using the wrong terminology). I've attached a minimal C compressor, and an input that triggers the bug. It should trigger ASAN and (if it doesn't crash) produces garbage output that doesn't inflate into a matching input. (Let me know if you want my C code to generate the input) Repro: $ gcc deflate.c -o deflate libz.a $ deflate < CVE-2018-25032.txt trees.c:1091:20: runtime error: index 734 out of bounds for type 'uch [512]' trees.c:1091:20: runtime error: load of address 0x7f862280c27e with insufficient space for an object of type 'const uch' 0x7f862280c27e: note: pointer points here 19 19 19 19 19 19 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a 1a ^ ================================================================= ==8534==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f862280c1ac at pc 0x7f86227f1b86 bp 0x7ffff6711bd0 sp 0x7ffff6711bc0 READ of size 1 at 0x7f862280c1ac thread T0 #0 0x7f86227f1b85 in compress_block zlib/zlib-1.2.11-orig/trees.c:1091 #1 0x7f86227ecdb2 in _tr_flush_block zlib/zlib-1.2.11-orig/trees.c:979 #2 0x7f86227cf310 in deflate_slow zlib/zlib-1.2.11-orig/deflate.c:2011 #3 0x7f86227b9b90 in deflate zlib/zlib-1.2.11-orig/deflate.c:1003 #4 0x7f86227a8849 in main (/home/taviso/deflate+0x95849) #5 0x7f86211540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2) #6 0x7f86227a848d in _start (/home/taviso/deflate+0x9548d) 0x7f862280c1ac is located 12 bytes to the right of global variable '_dist_code' defined in 'trees.h:73:25' (0x7f862280bfa0) of size 512 0x7f862280c1ac is located 20 bytes to the left of global variable '_length_code' defined in 'trees.h:102:25' (0x7f862280c1c0) of size 256 SUMMARY: AddressSanitizer: global-buffer-overflow trees.c:1091 in compress_block If it doesn't crash, You can use the zpipe utility to verify that the generated compressed data is garbage. One question remains - does this *only* affect Z_FIXED, or also Z_DEFAULT_STRATEGY? It seems plausible this also affects Z_DEFAULT_STRATEGY, because of this condition: https://github.com/madler/zlib/blob/master/trees.c#L976 } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) { That is, if the optimal and static trees are the same size, then zlib *chooses* the Z_FIXED strategy anyway. I don't know if this is practically possible yet, I'm investigating but if someone smarter than me already knows the answer please let me know! IMHO, this is a pretty bad bug - but if it is impossible to reach with Z_DEFAULT_STRATEGY, then at least there's no need to panic, as Z_FIXED is usually only used in special circumstances... If it possible, well... uh-oh. Tavis.
the full email 3d can be found here [0]. [0] https://www.openwall.com/lists/oss-security/2022/03/24/1
zlib 1.2.12 (released 2 days ago) includes the fix for this CVE.
SUSE-SU-2022:1023-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): zlib-1.2.11-11.19.1 SUSE Linux Enterprise Server 12-SP5 (src): zlib-1.2.11-11.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:1061-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: openSUSE Leap 15.4 (src): zlib-1.2.11-150000.3.30.1 openSUSE Leap 15.3 (src): zlib-1.2.11-150000.3.30.1
SUSE-SU-2022:1061-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE Manager Server 4.1 (src): zlib-1.2.11-150000.3.30.1 SUSE Manager Retail Branch Server 4.1 (src): zlib-1.2.11-150000.3.30.1 SUSE Manager Proxy 4.1 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server for SAP 15 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Server 15-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Realtime Extension 15-SP2 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Micro 5.1 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise Micro 5.0 (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): zlib-1.2.11-150000.3.30.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): zlib-1.2.11-150000.3.30.1 SUSE Enterprise Storage 7 (src): zlib-1.2.11-150000.3.30.1 SUSE Enterprise Storage 6 (src): zlib-1.2.11-150000.3.30.1 SUSE CaaS Platform 4.0 (src): zlib-1.2.11-150000.3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1043-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 8 (src): zlib-1.2.8-12.6.1 SUSE OpenStack Cloud 8 (src): zlib-1.2.8-12.6.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): zlib-1.2.8-12.6.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): zlib-1.2.8-12.6.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): zlib-1.2.8-12.6.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): zlib-1.2.8-12.6.1 HPE Helion Openstack 8 (src): zlib-1.2.8-12.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:14929-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): zlib-1.2.7-0.17.3.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): zlib-1.2.7-0.17.3.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): zlib-1.2.7-0.17.3.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): zlib-1.2.7-0.17.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1062-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): zlib-1.2.11-3.6.1 SUSE OpenStack Cloud 9 (src): zlib-1.2.11-3.6.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): zlib-1.2.11-3.6.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): zlib-1.2.11-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Done.
SUSE-SU-2022:1061-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1197459 CVE References: CVE-2018-25032 JIRA References: Sources used: SUSE Linux Enterprise Micro 5.2 (src): zlib-1.2.11-150000.3.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Note that, since version 3.2.4, rsync includes the fix for the bundled zlib version.