Fix for CVE-2018-25032: Update the zlib version bundled with Node.js

[mlopezja]

The zlib version bundled with the latest available Node.js may be affected by CVE-2018-25032, a high-severity security vulnerability that's being re-analyzed by NVD. However, there's a more recent version of zlib that is unaffected by said vulnerability (version 1.2.12).

Our project uses Node.js as a third-party component and this vulnerability was detected by one of our security scanners and we want to make the Node.js community aware of this situation.

Any communication about mitigation steps or a clarification that this CVE does not affect Node.js will be greatly appreciated.

[Trott]

Contrary information would be welcome, but I believe this is a false positive in your security scanner as Node.js uses Chromium's zlib which is not vulnerable.

Refs:

• When CVE-2018-25032 will be fixed in nodejs 14.X node#42569
• deps: switch to chromium's zlib implementation node#31201 (comment)

+@Adenilson

[Trott]

I've closed the issue, but questions and discussion are welcome/fine.

If you do find an indication that this is not a false positive and Node.js is vulnerable, please follow the procedure in https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security to report it. Thanks!

[Trott]

If you do find an indication that this is not a false positive and Node.js is vulnerable, please follow the procedure in https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security to report it. Thanks!

And probably best to report it to the Chromium team if it's in zlib: https://www.chromium.org/Home/chromium-security/reporting-security-bugs/

[Adenilson]

Yep, that is correct, nodejs should be unaffected by CVE-2018-25032 because it runs with Chromium's zlib.

Chromium's zlib has the required fix for the aforementioned CVE since 2018.

We even have a utest with the payload that would crash/corrupt an unpatched zlib, check:
https://source.chromium.org/chromium/chromium/src/+/main:third_party/zlib/contrib/tests/utils_unittest.cc;l=968

[mlopezja]

Thank you very much @Trott and @Adenilson! I'll reach out to the Chromium team (thanks for the link!) and we'll mark this as a false positive.

[nschonni]

nodejs/node#42571

[Adenilson]

@mlopezja I'm part of the Chromium team (https://source.chromium.org/chromium/chromium/src/+/main:third_party/zlib/OWNERS;l=2).

[Adenilson]

We are about 70% done re-syncing with canonical zlib 1.2.12:
https://bugs.chromium.org/p/chromium/issues/detail?id=1032721#c59

[mlopezja]

Thanks for the info @Adenilson! Then there's no need for me to reach out to you 😊