Language Selection

English French German Italian Portuguese Spanish

Zlib Security Flaw Exposes Swath of Programs

Filed under
Security

A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected.

Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions.

Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.

This isn't the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern.

This time, the flaw is a buffer overflow in the decompression process. Because the program doesn't properly validate input data, it can be fed bad data, which can lead to a buffer overflow.

This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well.

Since Zlib is so ubiquitous, this represents a serious security concern.

It's not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected.

Full Story.

UPDATE: Linux vendors pump out highly critical patch.

More in Tux Machines

today's leftovers

  • Top Lightweight Linux Distributions To Try In 2017
    Today I am going to discuss the top lightweight Linux distros you can try this year on your computer. Although you got yourself a prettyLinuxle linux already but there is always something new to try in Linux. Remember I recommend to try this distros in virtualbox firstly or with the live boot before messing with your system. All distro that I will mention here will be new and somewhat differ from regular distros.
  • [ANNOUNCE] linux-4.10-ck1 / MuQSS CPU scheduler 0.152
  • MSAA Compression Support For Intel's ANV Vulkan Driver
    Intel developer Jason Ekstrand posted a patch over the weekend for enabling MSAA compression support within the ANV Vulkan driver.
  • Highlights of YaST development sprint 31
    As we announced in the previous report, our 31th Scrum sprint was slightly shorter than the usual ones. But you would never say so looking to this blog post. We have a lot of things to talk you about!
  • Comparing Mobile Subscriber Data Across Different Sources - How accurate is the TomiAhonen Almanac every year?
    You’ll see that last spring I felt the world had 7.6 Billion total mobile subscriptions when machine-to-machine (M2M) connections are included. I felt the world had 7.2 Billion total subscriptions when excluding M2M and just counting those in use by humans. And the most relevant number (bottom line) is the ‘unique’ mobile users, which I felt was an even 5.0 Billion humans in 2015. The chart also has the total handsets-in-use statistic which I felt was 5.6 Billion at the end of 2015. Note that I was literally the first person to report on the distinction of the unique user count vs total subscriptions and I have been urging, nearly begging for the big industry giants to also measure that number. They are slowly joining in that count. Similarly to M2M, we also are now starting to see others report M2M counts. I have yet to see a major mobile statistical provider give a global count of devices in use. That will hopefully come also, soon. But lets examine these three numbers that we now do have other sources, a year later, to see did I know what I was doing.

Leftovers: Gaming

Leftovers: Software

Linux and FOSS Events

  • Debian SunCamp 2017 Is Taking Place May 18-21 in the Province of Girona, Spain
    It looks like last year's Debian SunCamp event for Debian developers was a total success and Martín Ferrari is back with a new proposal that should take place later this spring during four days full of hacking, socializing, and fun. That's right, we're talking about Debian SunCamp 2017, an event any Debian developer, contributor, or user can attend to meet his or hers Debian buddies, hack together on new projects or improve existing ones by sharing their knowledge, plan upcoming features and discuss ideas for the Debian GNU/Linux operating system.
  • Pieter Hintjens In Memoriam
    Pieter Hintjens was a writer, programmer and thinker who has spent decades building large software systems and on-line communities, which he describes as "Living Systems". He was an expert in distributed computing, having written over 30 protocols and distributed software systems. He designed AMQP in 2004, and founded the ZeroMQ free software project in 2007. He was the author of the O'Reilly ZeroMQ book, "Culture and Empire", "The Psychopath Code", "Social Architecture", and "Confessions of a Necromancer". He was the president of the Foundation for a Free Information Infrastructure (FFII), and fought the software patent directive and the standardisation of the Microsoft OOXML Office format. He also organized the Internet of Things (IOT) Devroom here at FOSDEM for the last 3 years. In April 2016 he was diagnosed with terminal metastasis of a previous cancer.
  • foss-gbg on Wednesday
    The topics are Yocto Linux on FPGA-based hardware, risk and license management in open source projects and a product release by the local start-up Zifra (an encryptable SD-card). More information and free tickets are available at the foss-gbg site.