Gentoo Linux has warned of a serious, unpatched security flaw in zlib, a compression library widely used in Linux and Unix applications. The bug could be exploited to crash any application using zlib, and possibly to run malicious code on a system, security experts warned.
Separately, exploit code has appeared for a flaw affecting older versions of Firefox, increasing the risk of active attacks on the browser.
The bug affects zlib 1.2.2, and no patch is available from the zlib project. However, several Linux and Unix vendors immediately issued their own updates for the library, including Ubuntu, Red Hat, Gentoo, Suse, Debian and FreeBSD.
Tavis Ormandy of Gentoo's security audit team discovered the flaw, which the company said could be exploited remotely. "An attacker could construct a malformed data stream, embedding it within network communication or an application file format, potentially resulting in the execution of arbitrary code when decoded by the application using the zlib library," Gentoo said in an advisory.
Independent security firm Secunia said the bug was due to a boundary error in "inftrees.c" when handling corrupted compressed data streams. Secunia marked the flaw as "highly critical" rating, its second most serious rating.
Zlib 1.2.2 itself replaced version 1.2.1, which was affected by a less-serious bug allowing denial of service attacks. The new bug may also affect versions earlier than 1.2.2.
Exploit code was released for a Firefox bug affecting versions 1.0.1 and earlier, according to the French Security Incident Response Team, FrSIRT. In a Wednesday advisory the organisation said the risk of exploitation of the bug, which involves the decoding of GIF images, was "critical". Users could be attacked via an image embedded in an email or a Web page, according to security researchers.
The bug was fixed in a March update, and most Firefox users are no longer using versions 1.0.1 and earlier, according to the Mozilla Foundation, which develops the browser.
The first version of the new Netscape 8 browser, released in late May, initially contained the old flaw, along with about 40 others. Netscape was forced to release version 8.0.1 a few hours after 8.0's release, fixing the bugs.