Skip links

Zlib crash-an-app bug finally squashed, 17 years later

The widely used Zlib data-compression library finally has a patch to close a vulnerability that could be exploited to crash applications and services — four years after the vulnerability was first discovered but effectively left unfixed.

Google Project Zero bug hunter Tavis Ormandy alerted the Open-Source-Software-Security mailing list about the programming blunder, CVE-2018-25032, which he found while trying to pinpoint the cause of a compressor crash.

“I reported it upstream, but it turns out the issue has been public since 2018, but the patch never made it into a release,” Ormandy wrote. “As far as I know, nobody ever assigned it a CVE.”

Plus, when the issue was reported in April 2018 by Eideticom’s Danilo Ramos, it was already 13 years old — meaning this bug has been around, and awaiting potential exploit, for 17 years.

The fix never made it into a Zlib software update, and a few days after reporting the flaw this month, Ormandy demonstrated a proof-of-concept exploit that works against default and non-default compression strategies supported by the library. That means it’s likely an application or network service passed maliciously crafted compressed data could crash when trying to unpack it. As Ormandy tweeted: “Yikes.” 

In short, this is a memory-corruption flaw: software that relies on zlib to compress user-supplied data can be made to crash and terminate, through an out-of-bounds write, if that data is specially formatted. Depending on how this user-controlled information is used, some backup operations and logging could be unexpectedly stopped, for instance. it is rated 7.5 out of 10 in terms of CVSS severity, or simply: high severity.

The reason this bug is a big deal, in addition to its nearly two-decades in existence, is because the open-source Zlib is so widely used, meaning there are plenty of potential opportunities for exploitation. Zlib’s algorithm, DEFLATE, which became an internet standard in 1996, shows up in a lot of file formats and protocols, for squashing and expanding data, and software handling these inputs will likely use zlib.

These programs include Firefox, Edge, Chromium, and Tor; PDF reader Xpdf; media player VLC; Word and Excel compatible software LibreOffice; and image editor GIMP, according to Sophos.

“Many apps you use regularly will include code not only to decompress Zlib data when reading it in, but also to compress to Zlib format when saving or sending data, because DEFLATE is a sort of lingua franca for compressed data,” the infosec biz explained.

As reported in 1998, the Zlib bug allows data in a pending buffer to overwrite a distance symbol table. This can lead to out-of-bounds access that crashes the application, and potentially causes denial of service.

While this could lead to a DoS attack, “at this point, it does not appear that the vulnerability leads to Remote Code Execution, but as the story progresses and more analysts begin to look into the issue, RCE is not out of the question,” warned Orca Security’s Tohar Braun.

A patch is available on Github, and security analysts recommend updating to Zlib version 1.2.12. Linux distros Ubuntu and Alpine, to name two, have also implemented the fix in their latest releases. Users should install a non-vulnerable zlib shared library, typically from their OS maker by fetching the latest updates, and developers should ensure their software packages aren’t relying on a vulnerable version of the dependency, pushing out app or service updates as necessary. ®