Page MenuHome GnuPG

CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high)
Open, HighPublic

Description

According to

"zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches."

In my understanding of T5880 , the build data for windows will have to be updated to 1.2.12
and a new Gpg4win release seems prudent.

Related Objects

Event Timeline

Not in the way it is used by gpg. See T5880

Not in the way it is used by gpg. See T5880

Okay, I understand that no external data is run directly through the part of zlib with the defect and thus there is no way to construct input to that functions of zlib that have the problem.

Thanks for the clarification, I admit that I was not clear about this from reading T5880.

In any way, the existence of this issue is good, because we can refer people to it, who have the same question. Some might even find it by themselves.

werner triaged this task as Unbreak Now! priority.

Sorry, that was a misunderstanding. My fault.

(Werner just told me that I was mistaken and he needs to take a look. There was a mixup because of the 2018 CVE number.)

werner lowered the priority of this task from Unbreak Now! to High.Apr 5 2022, 12:14 PM
werner edited projects, added CVE, gnupg (gpg22); removed gnupg.

The fix is from 2018 but was not picked up widely; see
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

Given that at this is a compression only bug the input data to GnuPG should in most cases be controlled by the user and is thus known. Thus the severity of this bug for attended use cases is not high but we need to fix it anyway.

Updated the copy on our mirror as welll as the gpg4win and swdb packages files.