zlib before 1.2.12 allows memory corruption (CVE-2018-25032)
Vitaly Provodin
vitaly.provodin at jetbrains.com
Thu Apr 21 00:06:57 UTC 2022
Hi all,
Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…)
It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default).
On Linux and macOS users can work around the issue by installing proper zlib on their systems.
Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines.
It looks like after implementing https://bugs.openjdk.java.net/browse/JDK-8249963 (which also discussed here https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html) the resolution of such issues can be shifted to users but what can be done now?
Thanks,
Vitaly
More information about the build-dev
mailing list