Four years after the vulnerability was first found but left unpatched, the widely used Zlib data-compression library now has a patch to close a vulnerability that might be abused to crash apps and services. Tavis Ormandy, a bug hunter for Google Project Zero, informed the Open-Source-Software-Security mailing list about the programming error, CVE-2018-25032, which he discovered while trying to figure out what caused a compressor crash.
"We reported it upstream, but it turns out the bug is already public since 2018, but the update never made it into a release. As far as they are aware, no CVE has ever been assigned to it." Ormandy stated.
Furthermore, when Eideticom's Danilo Ramos discovered the defect in April 2018, it was 13 years old, implying this bug had been lurking for 17 years, waiting to be exploited.
Zlib is a data-compression general-purpose library that is free, and legally unencumbered (i.e., not covered by any patents). It can be used on nearly any computer hardware and operating system. Anyone who has ever used softwares like PKZIP, WinRAR, 7-Zip, or any archiving utilities will attest to how data compression software has always been useful.
The primary goal of data compression is to save space, such as by reducing the amount of storage space required for backups or reducing data transfer bandwidth. Despite the computational overhead of squashing and expanding data before and after storing or sending it, compression frequently saves time and space by reducing the amount of data that must be moved back and forth between a fast storage location like RAM (memory) and a slow storage location like a disc, tape, or network.
The patch was never included in a Zlib software update, and Ormandy showed a proof-of-concept exploit which works against both default and non-default compression schemes supported by the library just a few days after discovering the problem. This means any attempt to unpack maliciously designed compressed data may cause an application or network service to crash.
In a nutshell, this is a memory corruption flaw: if user-supplied data is particularly formatted, software that relies on Zlib to compress it can crash and terminate due to an out-of-bounds write. The open-source Zlib is so extensively used that there are plenty of potential avenues for exploitation, which is why this problem is such a huge deal, in contrast to its nearly two-decade history. Zlib's algorithm, DEFLATE, which became an internet standard in 1996, is used to squash and expand data in a variety of file formats and protocols, and the software it handles these inputs to, will almost certainly use zlib.
According to Sophos, these programs include Firefox, Edge, Chromium, and Tor, as well as the PDF reader Xpdf, video player VLC, Word and Excel compatible software LibreOffice, and picture editor GIMP. The Zlib problem, which was first discovered in 1998, enables data in a pending buffer to corrupt a distance symbol table. Out-of-bounds access can cause the program to crash and even create a denial of service.
Users should install a non-vulnerable version of the zlib shared library, which they can usually get from the OS maker by downloading the latest updates, and developers should make sure the software packages don't rely on a vulnerable version of the reliance, pushing out app or service updates as needed.
