Bug 2366317 (CVE-2025-4638)

Summary: CVE-2025-4638 pcl: zlib: Improper Pointer Arithmetic in pcl
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, ahughes, caswilli, csutherl, dfreiber, drow, erack, gotiwari, it.vidhyadharan, jburrell, jcantril, jclere, jhorak, jvasik, kaycoth, khosford, kshier, mbalaoal, mvyas, neugens, omaciel, periklis, pjindal, plodge, rblanco, rojacob, sraghupu, stcannon, szappis, t-fedora, tpopela, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the inftrees.c component of the zlib library bundled within the PointCloudLibrary (PCL). This vulnerability allows context-dependent attackers to cause undefined behavior via improper pointer arithmetic.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2366405, 2366407, 2366408, 2366411, 2366412, 2366420, 2366421, 2366423, 2366425, 2366426, 2366430, 2366431, 2366432, 2366434, 2366436, 2366437, 2366438, 2366439, 2366406, 2366409, 2366410, 2366413, 2366414, 2366415, 2366416, 2366417, 2366418, 2366419, 2366422, 2366424, 2366427, 2366428, 2366429, 2366433, 2366435    
Bug Blocks:    

Description OSIDB Bzimport 2025-05-14 19:01:16 UTC 
A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic.

Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.
Comment 3 Tobias 2025-05-15 18:09:18 UTC 
this is the upstream patch that fixed that: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
Comment 5 Andrew John Hughes 2025-05-19 18:39:14 UTC 
This seems to have been filed against all packages that simply bundle zlib, while the issue itself is about pcl bundling a very old zlib (1.2.8). For example, that zlib was replaced in OpenJDK in 2017: https://github.com/openjdk/jdk/commit/b284200a903f2203029288cc68d736e423910207
Comment 6 vidhyadharan 2025-05-20 10:27:33 UTC 
The issue found on registry.access.redhat.com/ubi9/openjdk-21-runtime:1.22-1.1747241886 very latest images. 

{
  "text": "",
  "id": 46,
  "severity": "high",
  "cvss": 8.1,
  "status": "affected",
  "cve": "CVE-2025-4638",
  "cause": "",
  "description": "A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic...",
  "title": "",
  "vecStr": "",
  "exploit": "",
  "riskFactors": {
    "Attack vector: network": true,
    "DoS - High": true,
    "High severity": true,
    "Recent vulnerability": true
  },
  "link": "https://access.redhat.com/security/cve/CVE-2025-4638",
  "type": "image",
  "packageType": "os",
  "severityCHML": "H",
  "packageName": "zlib",
  "packageVersion": "1.2.11-40.el9",
  "packageBinaryPkgs": [
    "zlib"
  ]
}
Comment 7 vidhyadharan 2025-05-21 11:48:01 UTC 
I also scanned the base image registry.redhat.io/rhel9-osbs/osbs-ubi9-minimal:latest 

{
            "text": "",
            "id": 46,
            "severity": "high",
            "cvss": 8.1,
            "status": "affected",
            "cve": "CVE-2025-4638",
            "cause": "",
            "description": "A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic.  Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.",
            "title": "",
            "vecStr": "",
            "exploit": "",
            "riskFactors": {
              "Attack vector: network": true,
              "DoS - High": true,
              "High severity": true,
              "Recent vulnerability": true
            },
            "link": "https://access.redhat.com/security/cve/CVE-2025-4638",
            "type": "image",
            "packageType": "os",
            "layerTime": 1745451390,
            "templates": null,
            "twistlock": false,
            "cri": false,
            "published": 1747267200,
            "fixDate": 0,
            "applicableRules": [
              "*"
            ],
            "discovered": "2025-05-21T08:54:55Z",
            "functionLayer": "",
            "wildfireMalware": {},
            "secret": {},
            "severityCHML": "H",
            "packageName": "zlib",
            "packageVersion": "1.2.11-40.el9",
            "packageBinaryPkgs": [
              "zlib"
            ],
            "packagePath": "",
            "packageLicense": "zlib and Boost"
          }
Comment 8 errata-xmlrpc 2025-05-29 13:34:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:8314 https://access.redhat.com/errata/RHSA-2025:8314