zlib before 1.2.12 allows memory corruption (CVE-2018-25032)

Bradford Wetmore bradford.wetmore at oracle.com
Tue Apr 26 23:09:30 UTC 2022

On 4/20/2022 5:06 PM, Vitaly Provodin wrote:

> Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…)
> It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default).
> On Linux and macOS users can work around the issue by installing proper zlib on their systems.
> Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines.
> It looks like after implementing https://bugs.openjdk.java.net/browse/JDK-8249963 (which also discussed here https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html) the resolution of such issues can be shifted to users but what can be done now
Hi Vitaly,

A better forum might be core-lib-dev[1], and build-dev as you already cc'd.


[1] https://mail.openjdk.java.net/mailman/listinfo/core-libs-dev

More information about the security-dev mailing list