Miggo Logo

CVE-2018-25032: Zlib Deflate Memory Corruption Vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.26054%
Published
3/26/2022
Updated
6/27/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
nokogirirubygems< 1.13.41.13.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2018-25032) is an out-of-bounds write in zlib's deflate algorithm. The root cause, as indicated by the commit message and patch (5c44459c3b28a9bd3283aaceab7c615f8020c531), was an improper memory overlay where the pending_buf (holding compressed output) could overwrite the symbol tables (d_buf and l_buf, holding distances and literal/lengths).

  1. deflateInit2_ and deflateCopy were responsible for setting up this flawed memory layout. The patch significantly changes how these buffers are allocated and their relative positioning to prevent the overwrite. The evidence is in the removal of the overlay variable and the direct calculation of d_buf and l_buf based on it, replaced by a combined sym_buf with safer spacing.
  2. compress_block is the function that reads from the potentially corrupted symbol tables (d_buf, l_buf) and orchestrates writes to pending_buf (via send_code, etc.). If the symbol tables were corrupted by previous writes into pending_buf, compress_block would use this corrupted data, which could then lead to out-of-bounds writes when generating further output into pending_buf. The patch changes how symbols are read (from the new sym_buf) and updates an assertion related to buffer overflow checks, reflecting the corrected buffer management. These functions are therefore identified as directly containing or executing the vulnerable logic that was fixed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

zli* *.*.** *llows m*mory *orruption w**n ***l*tin* (i.*., w**n *ompr*ssin*) i* t** input **s m*ny *ist*nt m*t***s.

Reasoning

T** vuln*r**ility (*V*-****-*****) is *n out-o*-*oun*s writ* in zli*'s ***l*t* *l*orit*m. T** root **us*, *s in*i**t** *y t** *ommit m*ss*** *n* p*t** (****************************************), w*s *n improp*r m*mory ov*rl*y w**r* t** `p*n*in*_*u*`