Bug 1197459 - (CVE-2018-25032) VUL-0: CVE-2018-25032: zlib: memory corruption on deflate (i.e. compress)
(CVE-2018-25032)
VUL-0: CVE-2018-25032: zlib: memory corruption on deflate (i.e. compress)
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/327120/
CVSSv3.1:SUSE:CVE-2018-25032:8.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-24 08:39 UTC by Gianluca Gabrielli
Modified: 2022-09-12 13:39 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
deflate.c (827 bytes, text/x-csrc)
2022-03-28 07:22 UTC, Gianluca Gabrielli
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2022-03-24 08:39:26 UTC
From osss public ML
-------------------

Greetings list, I was recently trying to track down a reproducible crash
in a compressor. Believe it or not, it really was a bug in
zlib-1.2.11 when compressing (not decompressing!) certain inputs.

I reported it upstream, but it turns out the issue has been public since
2018, but the patch never made it into a release. As far as I know,
nobody ever assigned it a CVE.

https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

As far as I can tell, no distros have picked this up.

Tavis.
Comment 1 Gianluca Gabrielli 2022-03-24 13:38:47 UTC
The following packages seems to be affected:
 - SUSE:SLE-11-SP1:Update:Teradata/zlib    1.2.7
 - SUSE:SLE-11-SP3:Update/zlib             1.2.7
 - SUSE:SLE-12-SP2:Update/zlib             1.2.8
 - SUSE:SLE-12-SP4:Update/zlib             1.2.11
 - SUSE:SLE-12-SP5:Update/zlib             1.2.11
 - SUSE:SLE-15:Update/zlib                 1.2.11
 - openSUSE:Factory/zlib                   1.2.11
Comment 2 Danilo Spinella 2022-03-25 18:42:24 UTC
Hi Gianluca, I have sent the submission for SLE-12-SP5, SLE-15 and Factory. Should I fix any other codestream?
Comment 4 Gianluca Gabrielli 2022-03-28 07:19:55 UTC
(In reply to Danilo Spinella from comment #2)
> Hi Gianluca, I have sent the submission for SLE-12-SP5, SLE-15 and Factory.
> Should I fix any other codestream?

All the affected ones. Moreover, could you add the CVE ID to the changes file?
Comment 5 Gianluca Gabrielli 2022-03-28 07:22:37 UTC
Created attachment 857414 [details]
deflate.c

From the ML
-----------

I've made some progress working on the bug. I've got a nice
clean repro for Z_FIXED strategy. To hit the bug, you need to force
lots of worst-case (distance, length) pairs.

Zlib keeps a rolling hash of every 3 bytes of input, then uses this to
find previous matches and then see how long they are. Here is a good
explainer:

https://www.euccas.me/zlib/#zlib_hash_chain


The longest possible back-reference is 31 bits, starting at
(distance=16385, length=131).

The trick I found to force those is to use a de Bruijn sequence with
alphabet length cbrt(2^windowBits) and word length 3 (3 because that's
MIN_MATCH in zlib). Now there is a match of arbitrary length at every
single offset that can't be RLE'd away. So you generate one
2^windowsBits block of this sequence, then repeat the same sequence but
shuffle the subwords (lyndon words? I might be using the wrong
terminology).

I've attached a minimal C compressor, and an input that triggers the
bug. It should trigger ASAN and (if it doesn't crash) produces garbage
output that doesn't inflate into a matching input.

(Let me know if you want my C code to generate the input)

Repro:

$ gcc deflate.c -o deflate libz.a
$ deflate < CVE-2018-25032.txt
trees.c:1091:20: runtime error: index 734 out of bounds for type 'uch [512]'
trees.c:1091:20: runtime error: load of address 0x7f862280c27e with insufficient space for an object of type 'const uch'
0x7f862280c27e: note: pointer points here
 19 19 19 19 19 19  1a 1a 1a 1a 1a 1a 1a 1a  1a 1a 1a 1a 1a 1a 1a 1a  1a 1a 1a 1a 1a 1a 1a 1a  1a 1a
             ^
=================================================================
==8534==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f862280c1ac at pc 0x7f86227f1b86 bp 0x7ffff6711bd0 sp 0x7ffff6711bc0
READ of size 1 at 0x7f862280c1ac thread T0
    #0 0x7f86227f1b85 in compress_block zlib/zlib-1.2.11-orig/trees.c:1091
    #1 0x7f86227ecdb2 in _tr_flush_block zlib/zlib-1.2.11-orig/trees.c:979
    #2 0x7f86227cf310 in deflate_slow zlib/zlib-1.2.11-orig/deflate.c:2011
    #3 0x7f86227b9b90 in deflate zlib/zlib-1.2.11-orig/deflate.c:1003
    #4 0x7f86227a8849 in main (/home/taviso/deflate+0x95849)
    #5 0x7f86211540b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #6 0x7f86227a848d in _start (/home/taviso/deflate+0x9548d)

0x7f862280c1ac is located 12 bytes to the right of global variable '_dist_code' defined in 'trees.h:73:25' (0x7f862280bfa0) of size 512
0x7f862280c1ac is located 20 bytes to the left of global variable '_length_code' defined in 'trees.h:102:25' (0x7f862280c1c0) of size 256
SUMMARY: AddressSanitizer: global-buffer-overflow trees.c:1091 in compress_block

If it doesn't crash, You can use the zpipe utility to verify that the
generated compressed data is garbage.

One question remains - does this *only* affect Z_FIXED, or also
Z_DEFAULT_STRATEGY? It seems plausible this also affects
Z_DEFAULT_STRATEGY, because of this condition:

https://github.com/madler/zlib/blob/master/trees.c#L976

    } else if (s->strategy == Z_FIXED || static_lenb == opt_lenb) {

That is, if the optimal and static trees are the same size, then zlib
*chooses* the Z_FIXED strategy anyway. I don't know if this is
practically possible yet, I'm investigating but if someone smarter than
me already knows the answer please let me know!

IMHO, this is a pretty bad bug - but if it is impossible to reach with
Z_DEFAULT_STRATEGY, then at least there's no need to panic, as Z_FIXED
is usually only used in special circumstances...

If it possible, well... uh-oh.

Tavis.
Comment 6 Gianluca Gabrielli 2022-03-28 07:25:24 UTC
the full email 3d can be found here [0].

[0] https://www.openwall.com/lists/oss-security/2022/03/24/1
Comment 13 Guillaume GARDET 2022-03-29 11:47:51 UTC
zlib 1.2.12 (released 2 days ago) includes the fix for this CVE.
Comment 14 Swamp Workflow Management 2022-03-29 19:22:50 UTC
SUSE-SU-2022:1023-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    zlib-1.2.11-11.19.1
SUSE Linux Enterprise Server 12-SP5 (src):    zlib-1.2.11-11.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-03-30 19:30:12 UTC
openSUSE-SU-2022:1061-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    zlib-1.2.11-150000.3.30.1
openSUSE Leap 15.3 (src):    zlib-1.2.11-150000.3.30.1
Comment 16 Swamp Workflow Management 2022-03-30 19:32:32 UTC
SUSE-SU-2022:1061-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    zlib-1.2.11-150000.3.30.1
SUSE Manager Retail Branch Server 4.1 (src):    zlib-1.2.11-150000.3.30.1
SUSE Manager Proxy 4.1 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server for SAP 15 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Server 15-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Realtime Extension 15-SP2 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Micro 5.1 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise Micro 5.0 (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    zlib-1.2.11-150000.3.30.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    zlib-1.2.11-150000.3.30.1
SUSE Enterprise Storage 7 (src):    zlib-1.2.11-150000.3.30.1
SUSE Enterprise Storage 6 (src):    zlib-1.2.11-150000.3.30.1
SUSE CaaS Platform 4.0 (src):    zlib-1.2.11-150000.3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-03-30 19:33:11 UTC
SUSE-SU-2022:1043-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    zlib-1.2.8-12.6.1
SUSE OpenStack Cloud 8 (src):    zlib-1.2.8-12.6.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    zlib-1.2.8-12.6.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    zlib-1.2.8-12.6.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    zlib-1.2.8-12.6.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    zlib-1.2.8-12.6.1
HPE Helion Openstack 8 (src):    zlib-1.2.8-12.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-03-30 19:33:49 UTC
SUSE-SU-2022:14929-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    zlib-1.2.7-0.17.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    zlib-1.2.7-0.17.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zlib-1.2.7-0.17.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    zlib-1.2.7-0.17.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-03-30 19:35:03 UTC
SUSE-SU-2022:1062-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    zlib-1.2.11-3.6.1
SUSE OpenStack Cloud 9 (src):    zlib-1.2.11-3.6.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    zlib-1.2.11-3.6.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    zlib-1.2.11-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Gabriele Sonnu 2022-03-31 11:23:02 UTC
Done.
Comment 28 Swamp Workflow Management 2022-04-14 01:19:57 UTC
SUSE-SU-2022:1061-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1197459
CVE References: CVE-2018-25032
JIRA References: 
Sources used:
SUSE Linux Enterprise Micro 5.2 (src):    zlib-1.2.11-150000.3.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 David Anes 2022-04-19 07:00:21 UTC
Note that, since version 3.2.4, rsync includes the fix for the bundled zlib version.
Comment 33 Swamp Workflow Management 2022-09-09 10:20:23 UTC
SUSE-SU-2022:3225-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1197459,1200105,1201161,1201163,1201164,1201165,1201166,1201167,1201168,1201169,1201170
CVE References: CVE-2018-25032,CVE-2022-32081,CVE-2022-32083,CVE-2022-32084,CVE-2022-32085,CVE-2022-32086,CVE-2022-32087,CVE-2022-32088,CVE-2022-32089,CVE-2022-32091
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    mariadb-10.4.26-150200.3.31.1
SUSE Manager Retail Branch Server 4.1 (src):    mariadb-10.4.26-150200.3.31.1
SUSE Manager Proxy 4.1 (src):    mariadb-10.4.26-150200.3.31.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    mariadb-10.4.26-150200.3.31.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    mariadb-10.4.26-150200.3.31.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    mariadb-10.4.26-150200.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    mariadb-10.4.26-150200.3.31.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    mariadb-10.4.26-150200.3.31.1
SUSE Enterprise Storage 7 (src):    mariadb-10.4.26-150200.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.