zlib before 1.2.12 allows memory corruption (CVE-2018-25032)

Vitaly Provodin vitaly.provodin at jetbrains.com
Thu Apr 21 00:06:57 UTC 2022

Hi all,

Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…)
It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default).
On Linux and macOS users can work around the issue by installing proper zlib on their systems.
Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines.

It looks like after implementing https://bugs.openjdk.java.net/browse/JDK-8249963 (which also discussed here https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html) the resolution of such issues can be shifted to users but what can be done now?


More information about the security-dev mailing list