In the library zlib detected ( CVE-2018-25032 ), leading to a buffer overflow when attempting to compress a specially prepared sequence of characters in incoming data. In the current form, researchers demonstrate the ability to call for emergency completion of the process. Can the problem have more serious consequences have not yet been studied.
Vulnerability is manifested from the version of ZLIB 1.2.2.2 and affects the current issue of ZLIB 1.2.11. It is noteworthy that the patch with the correction of vulnerability was proposed back in 2018, but the developers did not pay attention to him and did not release Corrective release (ZLIB Library was last updated in 2017). The correction is also not included in the packages offered by distributions. You can trace the Publishing Publication by distributions in these pages: Debian , rhel , Fedora , SUSE , Ubuntu , Arch Linux , OpenBSD , FreeBSD , NetBSD . Library zlib-ng problem is not subject to .
Vulnerability is manifested if a large number of coincidences are found in the input stream, to which packaging is used on the basis of fixed Huffman codes . With a certain setting of circumstances, the contents of the intermediate buffer in which the compressed result is placed may impose a memory in which the character frequency table is stored. As a result, the formation of incorrect compressed data and collapse due to the recording abroad buffer.
Vulnerability can only be exploited when using compression strategy based on fixed Huffman codes.
Such a strategy is selected when explicitly inclusion in the code option z_fixed ( An example of a sequence , Driving to collapse when using the z_fixed option). Judging by code