Zlib’s crash-an-app bug finally fixed, 17 years later


The widely used Zlib data compression library finally has a patch to close a vulnerability that could be exploited to crash applications and services – four years after the vulnerability was discovered, but has not been patched .

Google Project Zero bug hunter Tavis Ormandy alerted the Open-Source-Software-Security mailing list to the programming error, CVE-2018-25032, which he discovered while trying to determine the cause of the bug. a compressor crash.

“I reported it upstream, but it turns out the issue has been public since 2018, but the fix was never released,” Ormandy wrote. “As far as I know, no one has ever given him a CVE.”

Additionally, when the issue was reported in April 2018 by Danilo Ramos of Eideticom, he was already 13 years old, which means that this bug has been around and has been waiting for a potential exploit for 17 years.

The patch was never part of a Zlib software update, and days after reporting the flaw this month, Ormandy demonstrated a proof-of-concept exploit that works against default compression strategies and not by default supported by the library. This means that it is likely that an application or network service delivered to maliciously crafted compressed data could crash while attempting to decompress it. Like Ormandy tweeted: “Yuk.”

In short, it’s a memory corruption flaw: software that relies on zlib to compress user-supplied data may crash and terminate, via out-of-bounds write, if this data is specially formatted. Depending on how this user-controlled information is used, some backup and logging operations may stop unexpectedly, for example. Document viewers and editors might fail to open files, and browser windows or tabs might explode.

It is rated 7.5 out of 10 in terms of CVSS severity, or simply: high severity.

The reason this bug is such a big deal, in addition to its nearly two decades of existence, is that the open-source Zlib is so widely used, which means there are many potential opportunities for exploitation. Zlib’s algorithm, DEFLATE, which became an Internet standard in 1996, appears in many file formats and protocols to overwrite and expand data, and software handling these inputs will likely use zlib.

These programs include Firefox, Edge, Chromium, and Tor; PDF reader Xpdf; VLC media player; Word and Excel compatible software LibreOffice; and the GIMP image editor, according to Sophos.

“Many applications that you use regularly will include code not only to decompress Zlib data when reading it, but also to compress to Zlib format when saving or sending data, because DEFLATE is a kind of lingua franca for compressed data,” explained infosec biz. .

As reported in 1998, the Zlib bug allows data from a pending buffer to overwrite a range symbol table. This can lead to out-of-bounds access which crashes the application and potentially causes a denial of service.

While this could lead to a DoS attack, “at this point it doesn’t appear that the vulnerability leads to remote code execution, but as the story progresses and more analysts begin to look into the problem, RCE is not out of the question,” warned Tohar Braun of Orca Security.

A patch is available on Github and security analysts recommend updating to Zlib version 1.2.12. Linux distributions Ubuntu and Alpine, to name two, have also implemented the fix in their latest releases. Users should install a non-vulnerable zlib shared library, usually from their operating system manufacturer by getting the latest updates, and developers should ensure that their software packages do not rely on a vulnerable version of the dependency, releasing application or service updates as needed. ®


Comments are closed.