CVE-2018-25032: zlib memory corruption on deflate

Debian Bug report logs - #1008265
CVE-2018-25032: zlib memory corruption on deflate

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2018-25032: zlib memory corruption on deflate

Date: Fri, 25 Mar 2022 17:31:44 +0100

Source: zlib
Version: 1:1.2.11.dfsg-2
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

This was assigned CVE-2018-25032:
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Cheers,
        Moritz

Message #14 received at 1008265@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 1008265@bugs.debian.org

Subject: Re: Bug#1008265: CVE-2018-25032: zlib memory corruption on deflate

Date: Fri, 25 Mar 2022 22:50:51 +0100

[Message part 1 (text/plain, inline)]

Control; tags -1 + patch

Hi Mark,

On Fri, Mar 25, 2022 at 05:31:44PM +0100, Moritz Muehlenhoff wrote:
> Source: zlib
> Version: 1:1.2.11.dfsg-2
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
> 
> This was assigned CVE-2018-25032:
> https://www.openwall.com/lists/oss-security/2022/03/24/1
> https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Here is a preliminary debdiff to address this.

Regards,
Salvatore

[zlib_1.2.11.dfsg-3.1.debdiff (text/plain, attachment)]

Message #19 received at 1008265-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1008265-close@bugs.debian.org

Subject: Bug#1008265: fixed in zlib 1:1.2.11.dfsg-4

Date: Sat, 26 Mar 2022 00:04:03 +0000

Source: zlib
Source-Version: 1:1.2.11.dfsg-4
Done: Mark Brown <broonie@debian.org>

We believe that the bug you reported is fixed in the latest version of
zlib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1008265@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Brown <broonie@debian.org> (supplier of updated zlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 25 Mar 2022 23:32:05 +0000
Source: zlib
Architecture: source
Version: 1:1.2.11.dfsg-4
Distribution: unstable
Urgency: medium
Maintainer: Mark Brown <broonie@debian.org>
Changed-By: Mark Brown <broonie@debian.org>
Closes: 1008265
Changes:
 zlib (1:1.2.11.dfsg-4) unstable; urgency=medium
 .
   * Pick upstream patch for CVE-2018-25032 (closes: #1008265).
Checksums-Sha1:
 d6fb58df5fcb6c8365b82240736ae26e3b7a74d8 2397 zlib_1.2.11.dfsg-4.dsc
 7997cc9e7fffb7f29f50dd7ec7455a383ba192da 23316 zlib_1.2.11.dfsg-4.debian.tar.xz
Checksums-Sha256:
 3ce1b7907cf1b35ffa95b06104d951314c48aa3463b78eddc0025ae59e9537cd 2397 zlib_1.2.11.dfsg-4.dsc
 b2e66b33c5aeeafa1cd00b2e06e671faf1345fc1ac13e5e2dcb12360df2fd677 23316 zlib_1.2.11.dfsg-4.debian.tar.xz
Files:
 9fa2b1dd1e8c011079a493f087c30abf 2397 libs optional zlib_1.2.11.dfsg-4.dsc
 6f2c395b7aa8156dc8321f6e03082793 23316 libs optional zlib_1.2.11.dfsg-4.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQFHBAEBCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmI+U5gTHGJyb29uaWVA
ZGViaWFuLm9yZwAKCRAk1otyXVSH0Hx8B/0W9FUwM/qu8+QndlJ3SOvt5J7gZGzL
KC5DhsJOosdPXpqT/1ZMEAWw/QfYvfmGxHgrkGwx8sITG63fffz+Gr2XmiZl6JrW
aQJKsSrJnpgY5FhrK8MFnjDmS0nc3y44ZgVPNinYLpVgPvDKGH2y3PQRmzaGxr0W
P6u5a79HgfJ0028FALPxt/IHXWLTa2gGUQIAqrCcooDoUbqPCgUmjl9/6w41eE28
K5mvthkAutqRQWEJLKwnVyN0PG1WVjB+rmsIqg/pVIkBEsdcANVm+gr+7KivhZfa
WwraQOf6Dab1M4CclY17HGH6tmtf2JQUd5Fn7/yAoontJnppVWjkPDAE
=665W
-----END PGP SIGNATURE-----

Message #24 received at 1008265@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1008265@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#1008265: CVE-2018-25032: zlib memory corruption on deflate

Date: Sat, 26 Mar 2022 00:59:15 +0000

[Message part 1 (text/plain, inline)]

On Fri, Mar 25, 2022 at 10:50:51PM +0100, Salvatore Bonaccorso wrote:

> Here is a preliminary debdiff to address this.

Thanks, that's roughly what I uploaded - it looks like your mail
raced with my own update.

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 1008265@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Mark Brown <broonie@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 1008265@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#1008265: CVE-2018-25032: zlib memory corruption on deflate

Date: Sat, 26 Mar 2022 09:02:31 +0100

Hi Mark,

On Sat, Mar 26, 2022 at 12:59:15AM +0000, Mark Brown wrote:
> On Fri, Mar 25, 2022 at 10:50:51PM +0100, Salvatore Bonaccorso wrote:
> 
> > Here is a preliminary debdiff to address this.
> 
> Thanks, that's roughly what I uploaded - it looks like your mail
> raced with my own update.

Thanks a lot! We should probably fix the issue as well in stable and
oldstable, but it might be wise to give it a bit of expsure now in
unstable.

Regards,
Salvatore

Send a report that this bug log contains spam.