CVE-2018-25032: Zlib Deflate Memory Corruption Vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.26054%
CWE
Published
3/26/2022
Updated
6/27/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nokogiri | rubygems | < 1.13.4 | 1.13.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2018-25032) is an out-of-bounds write in zlib's deflate algorithm. The root cause, as indicated by the commit message and patch (5c44459c3b28a9bd3283aaceab7c615f8020c531), was an improper memory overlay where the pending_buf
(holding compressed output) could overwrite the symbol tables (d_buf
and l_buf
, holding distances and literal/lengths).
deflateInit2_
anddeflateCopy
were responsible for setting up this flawed memory layout. The patch significantly changes how these buffers are allocated and their relative positioning to prevent the overwrite. The evidence is in the removal of theoverlay
variable and the direct calculation ofd_buf
andl_buf
based on it, replaced by a combinedsym_buf
with safer spacing.compress_block
is the function that reads from the potentially corrupted symbol tables (d_buf
,l_buf
) and orchestrates writes topending_buf
(viasend_code
, etc.). If the symbol tables were corrupted by previous writes intopending_buf
,compress_block
would use this corrupted data, which could then lead to out-of-bounds writes when generating further output intopending_buf
. The patch changes how symbols are read (from the newsym_buf
) and updates an assertion related to buffer overflow checks, reflecting the corrected buffer management. These functions are therefore identified as directly containing or executing the vulnerable logic that was fixed.