back to article Zlib crash-an-app bug finally squashed, 17 years later

The widely used Zlib data-compression library finally has a patch to close a vulnerability that could be exploited to crash applications and services — four years after the vulnerability was first discovered but effectively left unfixed. Google Project Zero bug hunter Tavis Ormandy alerted the Open-Source-Software-Security …

  1. Shepard


    This also means you need to update libpng, which is used pretty much in every browser, image viewer, photo editor, game engine... there's gonna be a long list of updates to sift through in the coming days.

    1. Charlie Clark Silver badge

      Re: Ouch

      Doesn't libpng require zlib as a dependency?

      In any case lots of software, inlcuding MS Officce, will need updating because zip is the default file format for many, even if they use different file extensions.

    2. John Brown (no body) Silver badge

      Re: Ouch

      On the bright side, for most *nix users, it will only be the one or two relevant libraries that need updating. Windows users will more likely have a much tougher time of it as "shared libraries" are often statically compiled into each app, necessitating all of those apps to be updated.

      EDIT, I see from comments further down this is a bigger can of worms than I suspected and not only Windows users might be in a world of pain thanks to programmers cutting and pasting the code in locally instead of calling the system library.

  2. Clausewitz 4.0

    Zlib in embedded

    Zlib being used in embedded devices are not going to be updated for a few years.

    Enormous potential to be bigger than log4j, not simpler - due to the timespan.

    1. Dazed and Confused

      Re: Zlib in embedded

      What you mean like every singe old phone which isn't receiving updates any more?

      1. cavac

        Re: Zlib in embedded

        Yeah, like half of the flagship phones you can buy right now ;-)

  3. Snake Silver badge


    Ooh, the FOSS community was really proactive in fixing this issue!

    Oh, wait...

    1. Charlie Clark Silver badge

      Re: Irony

      No one was proactive in fixing this, including companies that arguably make billions from using it.

    2. Dan 55 Silver badge

      Re: Irony

      Ah, you mean the library written by two people in their spare time, then these billionaire multinationals come along and copy-paste the code without auditing it or coughing up a penny, then when a bug is found the FOSS community gets the stick? That library?

      xkcd 2347 - A project some random person in Nebraska has been thanklessly maintaining since 2003.

      1. Snake Silver badge

        Re: FOSS community

        But that's a LOT of the FOSS software basis, a *lot* of open source software is supported on the time, graciousness, and backs of a few coders devoted to their project.

        ...and when this weakness in the FOSS belief system is brought up, the debater gets pounced on.

        1. Dog11

          Re: FOSS community

          You always have the option to choose closed-source software, where the publisher can arbitrarily declare no more support, goes out of business, or is eaten by the borg. For example, if it runs a multi-million dollar machine whose manufacturer went out of business two decades ago.

          1. Snake Silver badge

            Re: FOSS community?

            But that's the issue right there, you missed my cross-reference: exactly what promise does FOSS software give to the user that the exact same thing won't happen??.

            FOSS gives you NO declared promise that the same thing won't happen, yet believers think otherwise. With a lot of projects written off the backs of a few select coders, what promise is there - besides hope that someone else picks up the workload - if the coder quits?

            If the belief of coders picking up projects to make software for the benefit of doing so were true, when the thrown-about phrase "If you don't like it, fork it and develop it yourself!" was spoken a LOT more versions of a *lot* of programs would be out there.

            Not true, is it?

            1. Dan 55 Silver badge

              Re: FOSS community?

              The other great complaint about the FOSS world is there is too much choice, you're saying here that there's not enough. Oh well.

              Why would anyone fork zlib or any other project which works well now? If the two original writers of zlib hang up their keyboards then I'm pretty sure someone would pick it up, and the code is available to be able to do that.

              Imagine what would have happened if zlib were a closed-source library and the company had folded five years ago. That's the difference.

  4. DS999 Silver badge

    And people like to shame companies

    If they take longer than 90 days to fix some bugs. Whether you count it as 17 years or 4 years, that's a long time...

    And zlib is everywhere. The difference between zlib and log4j in amount of code that's potentially exposed is like the population difference between India and a town so small it has only a post office and a pub.

    1. Anonymous Coward
      Anonymous Coward

      Re: pubs and post offices

      I love that comment, but sadly it's dated. Not long ago a town here with one real house might well have also had a post office and two pubs to keep it company. Now rural post offices are closing faster that they can say "there are no bugs in our computer system" and even in big towns the post offices are just becoming a kiosk at the back of the local Smiths or Co-op. And pubs were being lost at a scary rate even before covid. My village used to have 6 and now has only 2 and one of those is now really a restaurant that also sells beer rather than a pub that sell food.

      1. Manolo

        Re: pubs and post offices

        I think here post offices do not even exist anymore.

    2. cavac

      Re: And people like to shame companies

      It's probably even worse than you think. If you have a complicated library that's hard to compile (complicated configure/make/cmake whatever), people often use the system library.

      With zlib, you just copy a few files into your project. It just compiles, and you don't have to worry about external dependencies. So half the stuff out there that uses zlib uses its own local version that doesn't get updated with a normal system update.

      I just wrote an email to 60+ Perl package maintainers, because they all used their own local copy of those files. It doesn't look much better for projects in other programming languages.

      A quick stroll through various search engine results resulted in me facepalming often enough to give me a decent headache...

      1. DS999 Silver badge

        Re: And people like to shame companies

        Yeah that's sort of what I was getting at. So much software includes its own copy of zlib, rather than dynamic linking to the system installed version. If you wanted to patch your PC or phone to fix zlib, you would have to hope that updates are available for a LOT of apps!

        You can download any random software and the odds are decent there will be a zlib.c file somewhere.

  5. Grunchy Silver badge

    “Much ado about nothing.”

    Must be a real subtle bug, since this software is used just about everywhere and yet the issue was pretty much forgotten about for nearly two decades.

    Speaking about long-forgotten topics, Vans Hardware (alternative to the Register) is still reporting about a “potential” false flag attack on its front page… for 2013!

    “A pastebin post self-attributed to the secretive and nebulous activist group “Anonymous” claims that a 9/11-style false flag attack on the Los Angeles Citibank building may occur tomorrow, Friday, November 15, 2013…”

  6. Brewster's Angle Grinder Silver badge

    ZLIb is every-fucking-where. What was that about monocultures again....?

    1. Charlie Clark Silver badge

      Given the fact that Zlib is really just away to compress data, including http connections, I'm not sure that monoculture is an issue. But this is clearly an instance of the tragedy of the commons: everyone uses it but no one maintains it.

      1. cavac

        It's important that you can not avoid using that compression algorithm these days. It's not only in HTTP, but also in standards like PNG files, among others.

        It doesn't have an amazing compression ratio, but it's lightning fast compared to most other algorithms.

        And zlib is the easiest to use. You don't even have to find and then use whatever zlib library your operating system provides, oh no. You just copy a few .c and .h files into your project and you are pretty much done and guaranteed to work, no matter what OS you use.

        Of course, you are supposed to track the zlib changelog and security announcement, but nobody got time for that, right?

  7. Al fazed

    Well that solves that little issue then .................

    Thanks be given that the cause of this "issue" with Open Office and Libre Office on this machine, has at last been discovered.............. maybe I'll be able to get some work done without the damn things crashing and losing some of the previously Saved data.

    Not being a Dev, I didn't feel that I had any right to complain, not even certain if the fault lay with the hardware, the OS or some FOSS dependency which only shows up with this hardware/software architecture.

    In my mind, this issue was a fault of my own creating for using Microsoft's Windose 10 .......... and may still be the culprit as this issue doesn't occur when using the same FOSS office applications on my ancient MacBook, or the rather older XP box.

    As a purely End User I am particularly grateful to all FOSS contributers, 'cos otherwise I could not afford to take part in the Information Age. Praise be for Open Office, Libre Office, GIMP, Linuxii etcetera......

    Cheers everyboby ....


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like