CVE-2018-25032
Published: 25 March 2022
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Notes
| Author | Note |
|---|---|
| mdeslaur | since 3.1.3-7, rsync builds with the system zlib |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
klibc Launchpad, Ubuntu, Debian |
bionic |
Released
(2.0.4-9ubuntu2.2+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| focal |
Released
(2.0.7-1ubuntu5.2)
|
|
| jammy |
Released
(2.0.10-4ubuntu0.1)
|
|
| mantic |
Released
(2.0.13-1ubuntu0.1)
|
|
| trusty |
Released
(2.0.3-0ubuntu1.14.04.3+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.0.4-8ubuntu1.16.04.4+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
mariadb-10.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(1:10.3.37-0ubuntu0.20.04.1)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
mariadb-10.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(1:10.6.11-0ubuntu0.22.04.1)
|
|
| kinetic |
Released
(1:10.6.9-1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
rsync Launchpad, Ubuntu, Debian |
bionic |
Released
(3.1.2-2.1ubuntu1.4)
|
| focal |
Released
(3.1.3-8ubuntu0.3)
|
|
| impish |
Not vulnerable
(uses system zlib)
|
|
| jammy |
Not vulnerable
(uses system zlib)
|
|
| kinetic |
Not vulnerable
(uses system zlib)
|
|
| mantic |
Not vulnerable
(uses system zlib)
|
|
| trusty |
Not vulnerable
(uses system zlib)
|
|
| upstream |
Released
(3.2.4)
|
|
| xenial |
Released
(3.1.1-3ubuntu1.3+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
zlib Launchpad, Ubuntu, Debian |
bionic |
Released
(1:1.2.11.dfsg-0ubuntu2.1)
|
| focal |
Released
(1:1.2.11.dfsg-2ubuntu1.3)
|
|
| impish |
Released
(1:1.2.11.dfsg-2ubuntu7.1)
|
|
| jammy |
Released
(1:1.2.11.dfsg-2ubuntu9)
|
|
| kinetic |
Released
(1:1.2.11.dfsg-2ubuntu9)
|
|
| mantic |
Released
(1:1.2.11.dfsg-2ubuntu9)
|
|
| trusty |
Released
(1:1.2.8.dfsg-1ubuntu1.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(1.2.12)
|
|
| xenial |
Released
(1:1.2.8.dfsg-2ubuntu4.3+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
|
Patches: upstream: https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 upstream: https://github.com/madler/zlib/commit/4346a16853e19b45787ce933666026903fb8f3f8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://www.openwall.com/lists/oss-security/2022/03/24/1
- https://github.com/madler/zlib/issues/605
- https://ubuntu.com/security/notices/USN-5355-1
- https://ubuntu.com/security/notices/USN-5355-2
- https://ubuntu.com/security/notices/USN-5359-1
- https://ubuntu.com/security/notices/USN-5359-2
- https://ubuntu.com/security/notices/USN-5739-1
- https://www.cve.org/CVERecord?id=CVE-2018-25032
- https://ubuntu.com/security/notices/USN-6736-1
- NVD
- Launchpad
- Debian