A vulnerability (CVE-2018-25032) has been identified in the zlib library, leading to a buffer overflow when attempting to compress a specially prepared sequence of characters in incoming data. In its current form, researchers have demonstrated the ability to cause a process to terminate abnormally. Whether the problem could have more serious consequences has not yet been studied.
The vulnerability appears starting from version zlib 1.2.2.2 and also affects the current release of zlib 1.2.11. It is noteworthy that a patch to correct the vulnerability was proposed back in 2018, but the developers did not pay attention to it and did not release a corrective release (the zlib library was last updated in 2017). The fix is also not yet included in the packages offered by distributions. You can track the publication of fixes by distributions on these pages: Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux, OpenBSD, FreeBSD, NetBSD. The zlib-ng library is not affected by the problem.
The vulnerability occurs if the input stream contains a large number of matches to be packed, to which packing is applied based on fixed Huffman codes. Under certain circumstances, the contents of the intermediate buffer into which the compressed result is placed may overlap the memory in which the symbol frequency table is stored. As a result, incorrect compressed data is generated and crashes due to writing outside the buffer boundary.
The vulnerability can only be exploited using a compression strategy based on fixed Huffman codes. A similar strategy is chosen when the Z_FIXED option is explicitly enabled in the code (an example of a sequence that leads to a crash when using the Z_FIXED option). Judging by the code, the Z_FIXED strategy can also be selected automatically if the optimal and static trees calculated for the data have the same size.
It is not yet clear whether the conditions for exploiting the vulnerability can be selected using the default Z_DEFAULT_STRATEGY compression strategy. If not, then the vulnerability will be limited to certain specific systems that explicitly use the Z_FIXED option. If so, then the damage from the vulnerability could be very significant, since the zlib library is a de facto standard and is used in many popular projects, including the Linux kernel, OpenSSH, OpenSSL, apache httpd, libpng, FFmpeg, rsync, dpkg, rpm, Git , PostgreSQL, MySQL, etc.
Source: opennet.ru