Gentoo Linux has warned of a serious, unpatched security flaw in zlib, a compression library widely used in Linux and Unix applications. The bug could be exploited to crash any application using zlib, and possibly to run malicious code on a system, security experts warned.

Separately, exploit code has appeared for a flaw affecting older versions of Firefox, increasing the risk of active attacks on the browser.

The bug affects zlib 1.2.2, and no patch is available from the zlib project. However, several Linux and Unix vendors immediately issued their own updates for the library, including Ubuntu, Red Hat, Gentoo, Suse, Debian and FreeBSD.

Tavis Ormandy of Gentoo’s security audit team discovered the flaw, which the company said could be exploited remotely. “An attacker could construct a malformed data stream, embedding it within network communication or an application file format, potentially resulting in the execution of arbitrary code when decoded by the application using the zlib library,” Gentoo said in an advisory.

Independent security firm Secunia said the bug was due to a boundary error in “inftrees.c” when handling corrupted compressed data streams. Secunia marked the flaw as “highly critical” rating, its second most serious rating.

Zlib 1.2.2 itself replaced version 1.2.1, which was affected by a less-serious bug allowing denial of service attacks. The new bug may also affect versions earlier than 1.2.2.

Exploit code was released for a Firefox bug affecting versions 1.0.1 and earlier, according to the French Security Incident Response Team, FrSIRT.

In a Wednesday advisory the organization said the risk of exploitation of the bug, which involves the decoding of GIF images, was “critical”. Users could be attacked via an image embedded in an email or a Web page, according to security researchers.

The bug was fixed in a March update, and most Firefox users are no longer using versions 1.0.1 and earlier, according to the Mozilla Foundation, which develops the browser.

The first version of the new Netscape 8 browser, released in late May, initially contained the old flaw, along with about 40 others. Netscape was forced to release version 8.0.1 a few hours after 8.0’s release, fixing the bugs.

Related Download
Security Training Resource Kit Sponsor: ITWC
Security Training Resource Kit
Want to reduce your security incidents? Experts say that training can reduce security incidents by anywhere from 45% to 70%. But how do you train your employees effectively? Yes, you can send memos and do courses, but who reads this stuff? That's why we took a different approach.
Download Now