Security researchers are trying to asses how serious a memory corruption bug in the widely used open source zlib data compression library is, after discovering a fix for the flaw issued in 2018 was never implemented.
Google Project Zero researcher Tavis Ormandy discovered last week that it was possible to cause a reproducible crash for input compression with zlib version 1.2.11, due to a memory corruption bug.
Ormandy found that the issue was in fact a known one. It was introduced 17 years ago in zlib 188.8.131.52, which added the Z_FIXED parameter to force the use of fixed Huffman coding, used for lossless compression.
Although the bug (designated CVE-2018-25032) can cause out-of-bound access that crashes applications, a fix released in 2018 was never implemented in zlib as the latest release of the compression library came out in 2017.
A proof of concept was developed by Ormandy, who together with other security researchers are currently taking stock of the severity of the bug, which currently appears difficult to trigger.
However, an exploit would have far-reaching effects, given its popularity in other open source projects, which would make updating difficult.
The UNIX man page for zlib(3) notes that the compression library is used by a large number of applications:
"zlib is built in to many languages and operating systems, including but not limited to Java, Python, .NET, PHP, Perl, Ruby, Swift, and Go".
Web browsers, Microsoft Office productivity applications, media players and image editors are also known to make use of zlib, which can be found in embedded systems too, making it hard to find for upgrades.
"Let's hope cleaning up old static copies of zlib isn't going to be a mess for years to come," Ormandy wrote on a security mailing list discussing the potential ramifications of the bug.
A fixed version of zlib, 1.2.12, is now available, and users are advised to update to that version of the compression library.