Update in-tree zlib with fix for CVE-2018-25032
Categories
(Core :: General, defect)
Tracking
()
People
(Reporter: RyanVM, Assigned: RyanVM)
References
Details
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-release+
dmeehan
:
approval-mozilla-esr91+
|
Details | Review |
zlib 1.2.12 was released today, largely driven by the need to ship the fix for CVE-2018-25032 in an official build (it landed upstream in 2018). In order to minimize the risk to the upcoming releases, we want to cherry-pick just this one fix instead of taking the wholesale update across all branches during RC week.
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
Try push:
https://treeherder.mozilla.org/jobs?repo=try&revision=ff05a61c969a02c3b4640411a403a0c82424cf4a
|
Assignee | |
Comment 1•2 years ago
|
||
This bug was reported by Danilo Ramos of Eideticom, Inc. It has
lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
option forces the use of fixed Huffman codes. For rare inputs with
a large number of distant matches, the pending buffer into which
the compressed data is written can overwrite the distance symbol
table which it overlays. That results in corrupted output due to
invalid distances, and can result in out-of-bound accesses,
crashing the application.
The fix here combines the distance buffer and literal/length
buffers into a single symbol buffer. Now three bytes of pending
buffer space are opened up for each literal or length/distance
pair consumed, instead of the previous two bytes. This assures
that the pending buffer cannot overwrite the symbol table, since
the maximum fixed code compressed length/distance is 31 bits, and
since there are four bytes of pending space for every three bytes
of symbol space.
|
||
Comment 2•2 years ago
|
||
While the commit specifies Z_FIXED, we now know this can also be triggered with Z_DEFAULT_STRATEGY.
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/45b988670932 Fix a bug that can crash deflate on some input when using Z_FIXED. r=tjr
|
||
Comment 4•2 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 5•2 years ago
|
||
Comment on attachment 9269700 [details]
Bug 1761799 - Fix a bug that can crash deflate on some input when using Z_FIXED.
Beta/Release Uplift Approval Request
- User impact if declined: zlib security/stability issue
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Medium
- Why is the change risky/not risky? (and alternatives if risky): zlib isn't a frequently updated library and it's used a lot throughout the codebase. That said, this particular change was landed upstream 4 years ago and in general I suspect that any breakage would be pretty obvious in the wild.
- String changes made/needed:
|
||
Comment 6•2 years ago
|
||
Comment on attachment 9269700 [details]
Bug 1761799 - Fix a bug that can crash deflate on some input when using Z_FIXED.
Approved for 91.8esr.
|
|
||
Comment 7•2 years ago
|
||
Comment on attachment 9269700 [details]
Bug 1761799 - Fix a bug that can crash deflate on some input when using Z_FIXED.
Approved for release uplift, available on the beta channel with 99.0rc2. Thanks.
|
|
||
Comment 8•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 9•2 years ago
|
||
| bugherder uplift | ||
Description
•