Here's my shortened attempt:
Those who manually configure Racket CS to use Zlib compression for compiled code should be aware of CVE-2018-25032, which could potentially open the door to a host of attacks.
Here's an edit to consider:
"Those who manually configure Racket CS to use Zlib compression for compiled code should be aware of CVE-2018-25032; the next release and the current snapshot builds use a newer version of zlib."
Sounds good to me.
Ooh, have to get to 20 characters.
It looks like there's also now NVD - CVE-2022-37434, which affects the updated zlib 1.2.12 (which is still the latest release).
What is the normal approach?
If users identify this as a risk for them should they update zlib themselves and build from source until the next release?
(I’m guessing the last zlib update could be used as a guide? Chez Scheme: update zlib to v1.2.12 · racket/racket@2100cea · GitHub )
At first glance, it doesn't look like inflateGetHeader is used in Chez Scheme. (It might be possible to get to it via ffi/unsafe functionality, but, if you can run unsafe Racket code, you can already do arbitrarily bad stuff.) However,
In addition to the Zlib used by Chez Scheme, Zlib is also included on some platforms with the support libraries for racket/draw: see Zlib for `racket/draw` affected by CVE-2018-25032 · Issue #4286 · racket/racket · GitHub.
I started working on a script at one point to check for CVEs during CI; I'll try to get back to that.