Windows: vulnerable zlib 1.2.11¶
zlib v1.2.11 is a dependency of CPython on Windows.
An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches.
This bug was introduced in zlib v188.8.131.52 through zlib v1.2.11 and fixed in v1.2.12.
On Windows, you could fix this vulnerability by updating zlib to 1.2.12 in Windows builds. On Linux and macOS, Python uses the system zlib library to build by default, you could update your system zlib version. You can also specify a bugfixed zlib different from the system zlib by setting CPPFLAGS and LDFLAGS.
- Disclosure date: 2022-04-01 (Python issue bpo-47194 reported)
- Python 3.7.14 (2022-09-06) fixed by commit 387f93c (branch 3.7) (2022-04-04)
- Python 3.8.14 (2022-09-06) fixed by commit 7ccdec3 (branch 3.8) (2022-05-16)
- Python 3.9.13 (2022-05-17) fixed by commit 0f0f85e (branch 3.9) (2022-04-02)
- Python 3.10.5 (2022-06-06) fixed by commit 16a809f (branch 3.10) (2022-04-02)
Upgrade to zlib v1.2.12 in CPython binary releases.
- Python issue: bpo-47194
- Creation date: 2022-04-01
- Reporter: Gregory P. Smith
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Timeline using the disclosure date 2022-04-01 as reference:
- 2022-03-25 (-7 days): CVE-2018-25032 published
- 2022-04-01: Python issue bpo-47194 reported by Gregory P. Smith
- 2022-04-02 (+1 days): commit 0f0f85e (branch 3.9)
- 2022-04-02 (+1 days): commit 16a809f (branch 3.10)
- 2022-04-04 (+3 days): commit 387f93c (branch 3.7)
- 2022-05-16 (+45 days): commit 7ccdec3 (branch 3.8)
- 2022-05-17 (+46 days): Python 3.9.13 released
- 2022-06-06 (+66 days): Python 3.10.5 released
- 2022-09-06 (+158 days): Python 3.7.14 released
- 2022-09-06 (+158 days): Python 3.8.14 released