1 min read

Popular Open-Source Data Compression Technology Reveals Ugly Flaw

A buffer overflow vulnerability in Zlib could allow attackers to crash zlib-enabled applications.

Zlib, a popular open-source data compression technology, last month revealed an ugly flaw--a buffer overflow vulnerability that could allow attackers to crash zlib-enabled applications.

Version 1.2.2 of zlib--which ships with many Linux and BSD packages and is used in products from mobile phones to Xboxes--contains a vulnerability that could be exploited to create denial-of-service attacks, according to Secunia, a Danish security software company. Secunia reported the flaw after it was discovered by Tavis Ormandy, a member of the Gentoo Linux security audit team.

A malicious user could raise an "unhandled error condition" by sending specially crafted compressed data to a zlib-enabled application, according to a report from CERT. Essentially, the attacker could force the app's buffer to overflow, causing the software to crash.

The open-source group that developed zlib is working on a new version, zlib 1.2.3, that fixes the hole. Meantime, Gentoo, Red Hat and several other Linux providers have issued patches, so contact your vendor for a fix.