Language Selection

English French German Italian Portuguese Spanish

Zlib Security Flaw Exposes Swath of Programs

Filed under
Security

A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected.

Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions.

Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.

This isn't the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern.

This time, the flaw is a buffer overflow in the decompression process. Because the program doesn't properly validate input data, it can be fed bad data, which can lead to a buffer overflow.

This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well.

Since Zlib is so ubiquitous, this represents a serious security concern.

It's not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected.

Full Story.

UPDATE: Linux vendors pump out highly critical patch.

More in Tux Machines

It Turns Out RISC-V Hardware So Far Isn't Entirely Open-Source

While they are trying to make it an open board, as it stands now Minnich just compares this RISC-V board as being no more open than an average ARM SoC and not as open as IBM POWER. Ron further commented that he is hoping for other RISC-V implementations from different vendors be more open. Read more

Perl 5.28.0 released

Version 5.28.0 of the Perl language has been released. "Perl 5.28.0 represents approximately 13 months of development since Perl 5.26.0 and contains approximately 730,000 lines of changes across 2,200 files from 77 authors". The full list of changes can be found over here; some highlights include Unicode 10.0 support, string- and number-specific bitwise operators, a change to more secure hash functions, and safer in-place editing. Read more

Today in Techrights

Will Microsoft’s Embrace Smother GitHub?

Microsoft has had an adversarial relationship with the open-source community. The company viewed the free Open Office software and the Linux operating system—which compete with Microsoft Office and Windows, respectively—as grave threats. In 2001 Windows chief Jim Allchin said: “Open source is an intellectual-property destroyer.” That same year CEO Steve Ballmer said “Linux is a cancer.” Microsoft attempted to use copyright law to crush open source in the courts. When these tactics failed, Microsoft decided if you can’t beat them, join them. It incorporated Linux and other open-source code into its servers in 2014. By 2016 Microsoft had more programmers contributing code to GitHub than any other company. The GitHub merger might reflect Microsoft’s “embrace, extend and extinguish” strategy for dominating its competitors. After all, GitHub hosts not only open-source software and Microsoft software but also the open-source projects of other companies, including Oracle, IBM, and Amazon Web Services. With GitHub, Microsoft could restrict a crucial platform for its rivals, mine data about competitors’ activities, target ads toward users, or restrict free services. Its control could lead to a sort of surveillance of innovative activity, giving it a unique, macro-scaled insight into software development. Read more