Security News > 2022 > March > Zlib crash-an-app bug finally squashed, 17 years later

The widely used Zlib data-compression library finally has a patch to close a vulnerability that could be exploited to crash applications and services - four years after the vulnerability was first discovered but effectively left unfixed.

In short, this is a memory-corruption flaw: software that relies on zlib to compress user-supplied data can be made to crash and terminate, through an out-of-bounds write, if that data is specially formatted.

Zlib's algorithm, DEFLATE, which became an internet standard in 1996, shows up in a lot of file formats and protocols, for squashing and expanding data, and software handling these inputs will likely use zlib.

"Many apps you use regularly will include code not only to decompress Zlib data when reading it in, but also to compress to Zlib format when saving or sending data, because DEFLATE is a sort of lingua franca for compressed data," the infosec biz explained.

As reported in 1998, the Zlib bug allows data in a pending buffer to overwrite a distance symbol table.

Users should install a non-vulnerable zlib shared library, typically from their OS maker by fetching the latest updates, and developers should ensure their software packages aren't relying on a vulnerable version of the dependency, pushing out app or service updates as necessary.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/30/zlib_data_bug/