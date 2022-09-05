Attackers could possibly inject and execute malicious code in the widespread zlib compression . First patches are available.

A vulnerability has been discovered in the zlib library, which provides compression functions. This could allow attackers to inject and execute code. The first patches are ready to close the gap. Some Linux distributions are now distributing updated packages.

- Advertisement -

According to the entry in the CVE database, zlib up to version 1.2.12 contains a heap-based buffer overflow in the function inflateGetHeader from inflate.c, which can be triggered by manipulated data in an additional field in a so-called “large gzip header”. However, this only affects applications that inflateGetHeader call. Some common applications bundled zlib, but could not call the vulnerable function at all, the authors of the entry limit (CVE-2022-37434, CVSS 9.8risk “critical“).

Impact and Risk: Indeterminate

The restrictions appear to affect estimates of impact and risk. In a security report, SuSE comes to the conclusion that the risk is only high, with a CVSS value of 8.1; updated packages are now available. Debian also directly releases up-to-date packages that patch the vulnerability. There, however, there were initially problems with cURL, which have now also been fixed.

Fedora, on the other hand, seems to only use zlib as part of rsync and therefore ships updated rsync packages. The Redhat maintainers only rate the threat posed by the zlib vulnerability as part of rsync as medium.

- Advertisement -

Since the CVE entry itself also contains a reference to a re-evaluation of the security gap, the general assessment could still change. Nonetheless, Linux and Unix administrators should quickly start the package managers of their distributions and let them search for updated packages in order to minimize the attack surface.

Almost six months ago, the renowned IT security expert Tavis Ormandy discovered a very old security gap in zlib. At the time, Ormandy also pointed out the problem of the numerous statically integrated zlib libraries in other software projects that require updates – just as Fedora is now demonstrating with rsync.

