<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body>
<div dir="ltr" style="">
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hello Vitaly,</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
(Personal answer not affiliated with OpenJDK members)</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I had also asked about this before, but there was no answer (which is however not surprising, since it is the policy of OpenJDK and Oracle to not comment on unfixed security issues).</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
My hope was, that by reporting it before the April update, the (trivial?) zlib update would be merged, but it is still the old version according to the source files. So it depends on build parameters and exploitability of the weakness if you are still in danger
(I guess:).</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
BTW while I can understand to not publish unfixed problems, it does really not do the java users a favor to not comment on generally known/published problems, especially not for 2 quarters.</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
There is however a ray of light on the horizon, I see <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032" target="_blank" rel="noopener" style="box-sizing: border-box; font-family: Facundo, Helvetica, Arial, sans-serif; margin: 0px; overflow-wrap: break-word; text-decoration: underline; text-align: left; white-space: nowrap; color: rgb(21, 105, 180);">CVE-2018-25032</a> fixed
in the Azul April Release Notes and asume they provide the update out of band. (Probably only for Windows binaries, haven’t analysed them yet)</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
They state:</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> Our analysis shows that Azul Zulu and OpenJDK are not affected by CVE-2018-25032.</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> In OpenJDK, the Zlib "memLevel" parameter is always set to 8 and can not
be changed by a</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> Java code, and the Z_FIXED strategy is permanently disabled. The CVE does
not apply to Azul</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> Zulu and OpenJDK with these settings. However, Azul decided to include
the corresponding</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> patch to the Zlib library in Azul products just in case someone chooses
to use Zlib from Azul</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">> Zulu outside of Java applications.</span><br>
</div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;"><br>
</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">(I am not sure of the analysis is complete I think the z_fixed was not a
strict requirement, but I could be wrong.)</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;"><br>
</span></div>
<div dir="ltr" style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span style="font-size: 16px; caret-color: rgb(68, 78, 103); font-family: Facundo, Helvetica, Arial, sans-serif; text-align: left; color: rgb(68, 78, 103); display: inline !important;">Hopefully the vulnerability group will share their finding in a few month.</span></div>
<div id="ms-outlook-mobile-signature">
<div dir="ltr"><span style="font-size: inherit;"><br>
</span></div>
<div><span style="font-size: inherit;">Gruss</span><br>
</div>
<div dir="ltr">Bernd</div>
<div style="direction:ltr">-- </div>
<div style="direction:ltr">http://bernd.eckenfels.net</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Von:</b> security-dev <security-dev-retn@openjdk.java.net> im Auftrag von Vitaly Provodin <vitaly.provodin@jetbrains.com><br>
<b>Gesendet:</b> Thursday, April 21, 2022 2:06:57 AM<br>
<b>An:</b> security-dev@openjdk.java.net <security-dev@openjdk.java.net>; build-dev@openjdk.java.net <build-dev@openjdk.java.net><br>
<b>Cc:</b> Vitaly Provodin <vitaly.provodin@jetbrains.com><br>
<b>Betreff:</b> zlib before 1.2.12 allows memory corruption (CVE-2018-25032)</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi all,<br>
<br>
Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…)<br>
It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default).<br>
On Linux and macOS users can work around the issue by installing proper zlib on their systems.<br>
Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines.<br>
<br>
It looks like after implementing <a href="https://bugs.openjdk.java.net/browse/JDK-8249963">
https://bugs.openjdk.java.net/browse/JDK-8249963</a> (which also discussed here <a href="https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html)">
https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html)</a> the resolution of such issues can be shifted to users but what can be done now?<br>
<br>
Thanks,<br>
Vitaly</div>
</span></font></div>
</body>
</html>