.. _update-zlib-1-2-11:

Windows: vulnerable zlib 1.2.11
===============================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2018-25032>`_.

zlib v1.2.11 is a dependency of CPython on Windows.

An out-of-bounds access flaw was found in zlib, which allows memory
corruption when deflating (ex: when compressing) if the input has many
distant matches.

This bug was introduced in zlib v1.2.2.2 through zlib v1.2.11 and fixed
in v1.2.12.

On Windows, you could fix this vulnerability by updating zlib to
1.2.12 in Windows builds. On Linux and macOS, Python uses the system zlib
library to build by default, you could update your system zlib version.
You can also specify a bugfixed zlib different from the system zlib
by setting CPPFLAGS and LDFLAGS.

Dates:

* Disclosure date: **2022-04-01** (Python issue bpo-47194 reported)

Fixed In
--------

* Python **3.7.14** (2022-09-06) fixed by `commit 387f93c (branch 3.7) <https://github.com/python/cpython/commit/387f93c156288c170ff0016a75af06e109d48ee1>`_ (2022-04-04)
* Python **3.8.14** (2022-09-06) fixed by `commit 7ccdec3 (branch 3.8) <https://github.com/python/cpython/commit/7ccdec3d1d837b910cd4fc5525ecde71a1326202>`_ (2022-05-16)
* Python **3.9.13** (2022-05-17) fixed by `commit 0f0f85e (branch 3.9) <https://github.com/python/cpython/commit/0f0f85e9d8088eb789cda35477900df32adff546>`_ (2022-04-02)
* Python **3.10.5** (2022-06-06) fixed by `commit 16a809f (branch 3.10) <https://github.com/python/cpython/commit/16a809ffb7af14898ce9ec8165960d96cbcd4ec3>`_ (2022-04-02)

Python issue
------------

Upgrade to zlib v1.2.12 in CPython binary releases.

* Python issue: `bpo-47194 <https://bugs.python.org/issue47194>`_
* Creation date: 2022-04-01
* Reporter: Gregory P. Smith

CVE-2018-25032
--------------

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

* CVE ID: `CVE-2018-25032 <https://nvd.nist.gov/vuln/detail/CVE-2018-25032/>`_
* Published: 2022-03-25
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2022-04-01** as reference:

* 2022-03-25 (**-7 days**): CVE-2018-25032 published
* 2022-04-01: `Python issue bpo-47194 <https://bugs.python.org/issue47194>`_ reported by Gregory P. Smith
* 2022-04-02 (**+1 days**): `commit 0f0f85e (branch 3.9) <https://github.com/python/cpython/commit/0f0f85e9d8088eb789cda35477900df32adff546>`_
* 2022-04-02 (**+1 days**): `commit 16a809f (branch 3.10) <https://github.com/python/cpython/commit/16a809ffb7af14898ce9ec8165960d96cbcd4ec3>`_
* 2022-04-04 (**+3 days**): `commit 387f93c (branch 3.7) <https://github.com/python/cpython/commit/387f93c156288c170ff0016a75af06e109d48ee1>`_
* 2022-05-16 (**+45 days**): `commit 7ccdec3 (branch 3.8) <https://github.com/python/cpython/commit/7ccdec3d1d837b910cd4fc5525ecde71a1326202>`_
* 2022-05-17 (**+46 days**): Python 3.9.13 released
* 2022-06-06 (**+66 days**): Python 3.10.5 released
* 2022-09-06 (**+158 days**): Python 3.7.14 released
* 2022-09-06 (**+158 days**): Python 3.8.14 released

Links
-----

* https://access.redhat.com/security/cve/cve-2018-25032