Zlib crash-an-app bug finally squashed, 17 years later The widely used Zlib data-compression library finally has a patch to close a vulnerability that could be exploited to crash applications and services — four years after the vulnerability was first discovered but effectively left unfixed. Google Project Zero bug hunter Tavis Ormandy alerted the Open-Source-Software-Security …
On the bright side, for most *nix users, it will only be the one or two relevant libraries that need updating. Windows users will more likely have a much tougher time of it as "shared libraries" are often statically compiled into each app, necessitating all of those apps to be updated.
EDIT, I see from comments further down this is a bigger can of worms than I suspected and not only Windows users might be in a world of pain thanks to programmers cutting and pasting the code in locally instead of calling the system library.
Ah, you mean the library written by two people in their spare time, then these billionaire multinationals come along and copy-paste the code without auditing it or coughing up a penny, then when a bug is found the FOSS community gets the stick? That library?
xkcd 2347 - A project some random person in Nebraska has been thanklessly maintaining since 2003.
You always have the option to choose closed-source software, where the publisher can arbitrarily declare no more support, goes out of business, or is eaten by the borg. For example, if it runs a multi-million dollar machine whose manufacturer went out of business two decades ago.
But that's the issue right there, you missed my cross-reference: exactly what promise does FOSS software give to the user that the exact same thing won't happen??.
FOSS gives you NO declared promise that the same thing won't happen, yet believers think otherwise. With a lot of projects written off the backs of a few select coders, what promise is there - besides hope that someone else picks up the workload - if the coder quits?
If the belief of coders picking up projects to make software for the benefit of doing so were true, when the thrown-about phrase "If you don't like it, fork it and develop it yourself!" was spoken a LOT more versions of a *lot* of programs would be out there.
Not true, is it?
The other great complaint about the FOSS world is there is too much choice, you're saying here that there's not enough. Oh well.
Why would anyone fork zlib or any other project which works well now? If the two original writers of zlib hang up their keyboards then I'm pretty sure someone would pick it up, and the code is available to be able to do that.
Imagine what would have happened if zlib were a closed-source library and the company had folded five years ago. That's the difference.
If they take longer than 90 days to fix some bugs. Whether you count it as 17 years or 4 years, that's a long time...
And zlib is everywhere. The difference between zlib and log4j in amount of code that's potentially exposed is like the population difference between India and a town so small it has only a post office and a pub.
I love that comment, but sadly it's dated. Not long ago a town here with one real house might well have also had a post office and two pubs to keep it company. Now rural post offices are closing faster that they can say "there are no bugs in our computer system" and even in big towns the post offices are just becoming a kiosk at the back of the local Smiths or Co-op. And pubs were being lost at a scary rate even before covid. My village used to have 6 and now has only 2 and one of those is now really a restaurant that also sells beer rather than a pub that sell food.
It's probably even worse than you think. If you have a complicated library that's hard to compile (complicated configure/make/cmake whatever), people often use the system library.
With zlib, you just copy a few files into your project. It just compiles, and you don't have to worry about external dependencies. So half the stuff out there that uses zlib uses its own local version that doesn't get updated with a normal system update.
I just wrote an email to 60+ Perl package maintainers, because they all used their own local copy of those files. It doesn't look much better for projects in other programming languages.
A quick stroll through various search engine results resulted in me facepalming often enough to give me a decent headache...
Yeah that's sort of what I was getting at. So much software includes its own copy of zlib, rather than dynamic linking to the system installed version. If you wanted to patch your PC or phone to fix zlib, you would have to hope that updates are available for a LOT of apps!
You can download any random software and the odds are decent there will be a zlib.c file somewhere.
Must be a real subtle bug, since this software is used just about everywhere and yet the issue was pretty much forgotten about for nearly two decades.
Speaking about long-forgotten topics, Vans Hardware (alternative to the Register) is still reporting about a “potential” false flag attack on its front page… for 2013!
“A pastebin post self-attributed to the secretive and nebulous activist group “Anonymous” claims that a 9/11-style false flag attack on the Los Angeles Citibank building may occur tomorrow, Friday, November 15, 2013…”
It's important that you can not avoid using that compression algorithm these days. It's not only in HTTP, but also in standards like PNG files, among others.
It doesn't have an amazing compression ratio, but it's lightning fast compared to most other algorithms.
And zlib is the easiest to use. You don't even have to find and then use whatever zlib library your operating system provides, oh no. You just copy a few .c and .h files into your project and you are pretty much done and guaranteed to work, no matter what OS you use.
Of course, you are supposed to track the zlib changelog and security announcement, but nobody got time for that, right?
Thanks be given that the cause of this "issue" with Open Office and Libre Office on this machine, has at last been discovered.............. maybe I'll be able to get some work done without the damn things crashing and losing some of the previously Saved data.
Not being a Dev, I didn't feel that I had any right to complain, not even certain if the fault lay with the hardware, the OS or some FOSS dependency which only shows up with this hardware/software architecture.
In my mind, this issue was a fault of my own creating for using Microsoft's Windose 10 .......... and may still be the culprit as this issue doesn't occur when using the same FOSS office applications on my ancient MacBook, or the rather older XP box.
As a purely End User I am particularly grateful to all FOSS contributers, 'cos otherwise I could not afford to take part in the Information Age. Praise be for Open Office, Libre Office, GIMP, Linuxii etcetera......
Cheers everyboby ....
ALF
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
