Security News > 2022 > March > Zlib data compressor fixes 17-year-old security bug – patch, errrm, now
What this means is that many apps you use regularly will include code not only to decompress Zlib data when reading it in, but also to compress to Zlib format when saving or sending data, because DEFLATE is a sort of lingua franca for compressed data.
With a legacy that long, and with an algorithm that was locked down as an internet standard back in 1996, you'd no doubt assume that Zlib had very few bugs left, and that any serious ones, such as those leading to the sort of memory corruption that could be expoitable for remote code execution, would have been found by now.
Well, Google bug-hunter Tavis Ormandy, who has uncovered some truly funky bugs in his storied bug-hunting career, just found a curious and possibly, just possibly, exploitable bug in the Zlib code.
Memory mismanagement can happen anywhere that a programmer is careless with which data gets written where, but in compression software it's much more common to find this sort of bug in code that expands data from its compressed format, most notably because you can't reliably determine how much memory space you'll need to decompress everything safely until you actually try decompressing it.
Astonishingly, if not actually amusingly, the fact that the bug was first investigated in 2018 means that the official bug number for this vulnerability is CVE-2018-25032, even though it was only assigned this week.
Although this bug is difficult to trigger, there are many places, notably on servers, where untrusted data that was supplied by an outsider gets compressed automatically and then archived, logged or transmitted by the system.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-25 | CVE-2018-25032 | Out-of-bounds Write vulnerability in multiple products zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | 7.5 |