I'm trying to work out if we are exposed to the recently reported CVE-2018-25032 vulnerability, as .NET does use the zlib library in the DeflateStream implementation.
I can't seem to find anything released by Microsoft about this.
Is there a way to find out which .NET Framework version uses which version of zlib?
CodePudding user response:
According to the DeflateStream docs page, .NET Framework versions prior to 4.5 do not use zlib at all:
Starting with the .NET Framework 4.5, the DeflateStream class uses the zlib library
I don't know which exact versions of zlib each subsequent version of .NET Framework used (and the version may have changed with minor patches over time), but I can give an approximation based on when each .NET Framework version was released and compare that to the latest version of zlib at the time (the .NET team most likely opted to use the latest version of each external library, including zlib, that was available at any given time):
| .NET Framework Version | Latest zlib version upon respective .NET version release |
|---|---|
| 4.5 | 1.2.7 |
| 4.5.1 | 1.2.8 |
| 4.5.2 | 1.2.8 |
| 4.6 | 1.2.8 |
| 4.6.1 | 1.2.8 |
| 4.6.2 | 1.2.8 |
| 4.7 | 1.2.11 |
| 4.7.1 | 1.2.11 |
| 4.8 | 1.2.11 |
As you can see, all versions of .NET Framework since zlib was added use a version of zlib that is susceptible to this CVE. Per the author, Mark Adler, however, DeflateStream may not even call Z_FIXED (see the CVE info below), so DeflateStream code may not be susceptible to the CVE despite the version of zlib it uses containing said vulnerability. If you have any custom code that does interact with Z_FIXED using .NET's packaged zlib version, you should mitigate the vulnerability manually or explicitly import zlib v1.2.12 to overwrite .NET's built-in version.
Note that the CVE and zlib's patch for it are so new that the latest version of .NET, .NET Core 6.0.3 (which was released on 8 March 2022), still uses zlib v1.2.11 (from 2017). From the .NET zlib.3 file in the GitHub repository:
.TH ZLIB 3 "15 Jan 2017" .SH NAME zlib \- compression/decompression library [...]
And zlib.h (the readme) from that same repository folder:
/* zlib.h -- interface of the 'zlib' general purpose compression library version 1.2.11, January 15th, 2017 [...]
And from the ZLIB changelog on GitHub:
ChangeLog file for zlib Changes in 1.2.12 (27 Mar 2022) [...] - Fix a bug that can crash deflate on some input when using Z_FIXED [...]
(Skipped irrelevant lines to focus on the specific change that prompted the CVE).