zlib 缓冲区错误漏洞（CVE-2018-25032）

admin

0
文章

0
评论

2023-11-30 08:32:48 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 zlib 缓冲区错误漏洞（CVE-2018-25032）

CVE编号

CVE-2018-25032

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-03-25

漏洞描述

zlib是美国Mark Adler个人开发者的一个通用的数据压缩库。 zlib 1.2.11 版本存在缓冲区错误漏洞，该漏洞源于如果输入有很多远匹配，压缩时可能出现内存损坏。

解决建议

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://z-lib.org/

参考链接
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://security.gentoo.org/glsa/202210-42
https://security.netapp.com/advisory/ntap-20220526-0009/
https://security.netapp.com/advisory/ntap-20220729-0004/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
https://www.oracle.com/security-alerts/cpujul2022.html

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	zlib	zlib	*		Up to (excluding) 1.2.12
	运行在以下环境
	系统	alpine_3.12	zlib	*		Up to (excluding) 1.2.12-r0
	运行在以下环境
	系统	alpine_3.13	mariadb	*		Up to (excluding) 10.5.17-r0
	运行在以下环境
	系统	alpine_3.14	mariadb	*		Up to (excluding) 10.5.17-r0
	运行在以下环境
	系统	alpine_3.15	mariadb	*		Up to (excluding) 1.2.12-r0
	运行在以下环境
	系统	alpine_3.16	mariadb	*		Up to (excluding) 1.2.12-r0
	运行在以下环境
	系统	alpine_3.17	mariadb	*		Up to (excluding) 1.2.12-r0
	运行在以下环境
	系统	alpine_3.18	mariadb	*		Up to (excluding) 1.2.11-r4
	运行在以下环境
	系统	alpine_edge	mariadb	*		Up to (excluding) 1.2.11-r4
	运行在以下环境
	系统	amazon_2	zlib	*		Up to (excluding) 1.2.7-19.amzn2.0.1
	运行在以下环境
	系统	amazon_2022	zlib	*		Up to (excluding) 3.2.6-1.amzn2022.0.2
	运行在以下环境
	系统	amazon_2023	zlib	*		Up to (excluding) 3.2.6-1.amzn2023.0.3
	运行在以下环境
	系统	amazon_AMI	zlib	*		Up to (excluding) 3.0.6-12.14.amzn1
	运行在以下环境
	系统	anolis_os_7	minizip	*		Up to (excluding) 1.2.7-20
	运行在以下环境
	系统	anolis_os_8	zlib	*		Up to (excluding) 1.2.8-10
	运行在以下环境
	系统	centos_7	zlib	*		Up to (excluding) 1.2.7-20.el7_9
	运行在以下环境
	系统	centos_8	zlib	*		Up to (excluding) 3.1.3-14.el8_6.2
	运行在以下环境
	系统	debian_10	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-1+deb10u1
	运行在以下环境
	系统	debian_11	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-2+deb11u1
	运行在以下环境
	系统	debian_12	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-4
	运行在以下环境
	系统	debian_9	libz-mingw-w64	*		Up to (excluding) 1:1.2.8.dfsg-5+deb9u1
	运行在以下环境
	系统	debian_sid	libz-mingw-w64	*		Up to (excluding) 1:1.2.11.dfsg-4
	运行在以下环境
	系统	fedora_34	rsync	*		Up to (excluding) 3.2.3-6.fc34
	运行在以下环境
	系统	fedora_35	rsync	*		Up to (excluding) 1.2.11-31.fc35
	运行在以下环境
	系统	fedora_36	rsync	*		Up to (excluding) 1.2.11-32.fc36
	运行在以下环境
	系统	kylinos_aarch64_V10	rsync	*		Up to (excluding) 0.186-1.el8
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	minizip	*		Up to (excluding) 1.2.11-19.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	minizip	*		Up to (excluding) 1.2.11-19.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	minizip	*		Up to (excluding) 1.2.11-19.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	rsync	*		Up to (excluding) 0.186-1.el8
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	minizip	*		Up to (excluding) 1.2.11-19.ky10
	运行在以下环境
系统	kylinos_x86_64_V10SP2	minizip	*		Up to (excluding) 1.2.11-19.ky10
运行在以下环境
系统	opensuse_Leap_15.3	libminizip1	*		Up to (excluding) 1.2.11-150000.3.30.1
运行在以下环境
系统	opensuse_Leap_15.4	mupdf	*		Up to (excluding) 1.2.11-150000.3.30.1
运行在以下环境
系统	oracle_6	oraclelinux-release	*		Up to (excluding) 1.2.3-29.0.1.el6
运行在以下环境
系统	oracle_7	oraclelinux-release	*		Up to (excluding) 1.2.7-20.el7_9
运行在以下环境
系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.2.11-18.el8_5
运行在以下环境
系统	oracle_9	oraclelinux-release	*		Up to (excluding) 1.2.12-2.el9
运行在以下环境
系统	redhat_6	minizip	*		Up to (excluding) 0:1.2.3-31.el6_10
运行在以下环境
系统	redhat_7	minizip	*		Up to (excluding) 1.2.7-20.el7_9
运行在以下环境
系统	redhat_8	zlib	*		Up to (excluding) 3.1.3-14.el8_6.2
运行在以下环境
系统	redhat_9	rsync-daemon	*		Up to (excluding) 1.2.11-31.el9_0.1
运行在以下环境
系统	suse_12_SP5	libz1-32bit	*		Up to (excluding) 1.2.11-11.19.1
运行在以下环境
系统	ubuntu_18.04	zlib	*		Up to (excluding) 1:1.2.11.dfsg-0ubuntu2.1
运行在以下环境
系统	ubuntu_20.04	zlib	*		Up to (excluding) 1:1.2.11.dfsg-2ubuntu1.3
运行在以下环境
系统	ubuntu_21.10	zlib	*		Up to (excluding) 1:1.2.11.dfsg-2ubuntu7.1
运行在以下环境
系统	ubuntu_22.04	zlib	*		Up to (excluding) 1:1.2.11.dfsg-2ubuntu9
运行在以下环境
系统	ubuntu_22.10	zlib	*		Up to (excluding) 1:1.2.11.dfsg-2ubuntu9
运行在以下环境
系统	unionos_a	zlib	*		Up to (excluding) zlib-1.2.11-20.01
运行在以下环境
系统	unionos_d	mariadb-10.3	*		Up to (excluding) 1:10.3.36.1-0+dde