Windows: vulnerable zlib 1.2.11

zlib v1.2.11 is a dependency of CPython on Windows.

An out-of-bounds access flaw was found in zlib, which allows memory corruption when deflating (ex: when compressing) if the input has many distant matches.

This bug was introduced in zlib v1.2.2.2 through zlib v1.2.11 and fixed in v1.2.12.

On Windows, you could fix this vulnerability by updating zlib to 1.2.12 in Windows builds. On Linux and macOS, Python uses the system zlib library to build by default, you could update your system zlib version. You can also specify a bugfixed zlib different from the system zlib by setting CPPFLAGS and LDFLAGS.

Dates:

  • Disclosure date: 2022-04-01 (Python issue bpo-47194 reported)

Fixed In

Python issue

Upgrade to zlib v1.2.12 in CPython binary releases.

  • Python issue: bpo-47194
  • Creation date: 2022-04-01
  • Reporter: Gregory P. Smith

CVE-2018-25032

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Timeline

Timeline using the disclosure date 2022-04-01 as reference: