Hello Vitaly, (Personal answer not affiliated with OpenJDK members)
I had also asked about this before, but there was no answer (which is however not surprising, since it is the policy of OpenJDK and Oracle to not comment on unfixed security issues). My hope was, that by reporting it before the April update, the (trivial?) zlib update would be merged, but it is still the old version according to the source files. So it depends on build parameters and exploitability of the weakness if you are still in danger (I guess:). BTW while I can understand to not publish unfixed problems, it does really not do the java users a favor to not comment on generally known/published problems, especially not for 2 quarters. There is however a ray of light on the horizon, I see CVE-2018-25032<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032> fixed in the Azul April Release Notes and asume they provide the update out of band. (Probably only for Windows binaries, haven’t analysed them yet) They state: > Our analysis shows that Azul Zulu and OpenJDK are not affected by > CVE-2018-25032. > In OpenJDK, the Zlib "memLevel" parameter is always set to 8 and can not be > changed by a > Java code, and the Z_FIXED strategy is permanently disabled. The CVE does not > apply to Azul > Zulu and OpenJDK with these settings. However, Azul decided to include the > corresponding > patch to the Zlib library in Azul products just in case someone chooses to > use Zlib from Azul > Zulu outside of Java applications. (I am not sure of the analysis is complete I think the z_fixed was not a strict requirement, but I could be wrong.) Hopefully the vulnerability group will share their finding in a few month. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-r...@openjdk.java.net> im Auftrag von Vitaly Provodin <vitaly.provo...@jetbrains.com> Gesendet: Thursday, April 21, 2022 2:06:57 AM An: security-dev@openjdk.java.net <security-dev@openjdk.java.net>; build-...@openjdk.java.net <build-...@openjdk.java.net> Cc: Vitaly Provodin <vitaly.provo...@jetbrains.com> Betreff: zlib before 1.2.12 allows memory corruption (CVE-2018-25032) Hi all, Recently we (at JetBrains) were faced with the vulnerability issue CVE-2018-25032 (zlib before 1.2.12 allows memory corruption…) It is known that Linux, macOS builds uses system’s zlib but Windows - bundled one (by default). On Linux and macOS users can work around the issue by installing proper zlib on their systems. Are there any ideas for Windows? - the way building (under Cygwin!) with system zlib looks unworkable in case if Cygwin is not installed on user's machines. It looks like after implementing https://bugs.openjdk.java.net/browse/JDK-8249963 (which also discussed here https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-July/067868.html) the resolution of such issues can be shifted to users but what can be done now? Thanks, Vitaly
