Zlib Compression Denial of Service

Secunia PSI has been alerting on a vulnerable version of zlib.dll in many of my applications on my home computer. In a security writeup from July 2005, Secunia reports

a vulnerability in zlib, which can be exploited by malicious people to cause a DoS (Denial of Service) against a vulnerable application.
The vulnerability has been reported in version 1.2.2. Prior versions may also be affected


This doesn’t bother me so much when it is detected in old versions of Taxcut installed on the computer, but when it is reported in Wireshark 1.0.1 (not sure if this is fixed in Wireshark 1.0.2) and the latest version of iTunes, I wonder what the deal is.
UPDATE – See the comments, this is actually fixed in Wireshark in spite of the Secunia detection.
I renamed the old dll and replaced it with the latest version from http://www.zlib.net/. Secunia is happy, and it didn’t seem to cause any issues with the applications.

5 Comments

  1. The Windows version Wireshark does in fact ship with zlib 1.2.3, and has since 2005 when the vulnerability was made public. The problem stems from the fact that we compile our own zlib package (which we must do in order to support different versions of Visual Studio), and the resource file that ships with the zlib 1.2.3 sources (win32/zlib1.rc) sets the version to 1.2.2.
    If you go to “Help->About Wireshark” you’ll see that it was compiled with libz 1.2.3.

  2. There’s a bug in the distributed resource information in the zlib source code. Even though the code is fixed part of the resource info still exports the old version info.
    Hence, no problem, just mis-identified. See the Wireshark bug database entry.

  3. Thanks!
    I am always amazed by the number of knowledgeable people that stop by the blog.
    I’ll put a note in the original post pointing to the comments.
    Thanks

Comments are closed.