Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zlib Security Flaw Could Cause Widespread Trouble

Posted by timothy on from the all-over-the-place dept.

BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."

12 of 372 comments (clear)

  1. Important: Use a safe browser by aussie_a · · Score: 4, Funny

    Because Firefox renders PNG completely, it is prone to these sort of errors. However there is one browser that won't need a patch issued to be safe from this bug, which is Internet Explorer. While IE can render PNG a little, it hasn't implemented the full technology. By using IE, you ensure that you will be safe from any bugs that arise from new technologies, such as PNG.

    So next time someone recommends a browser. Stop and wonder about what technology the latest browser has implemented properly without regard to any security issues, and remember that it will be decades before IE implements the technology (if it ever does) so it will be safe for quite some time, by being a stable browser that rarely changes.


    Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.

    1. Re:Important: Use a safe browser by ratnerstar · · Score: 2, Funny

      Were you born without a sense of humor, or did you have it surgically removed?

      --
      Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
  2. Re:Modularised code will always have this problem. by Da+Fokka · · Score: 2, Funny
    For some reason your comment is moderated 'troll', probably because you had the filthy guts of uttering the Forbidden Word 'Visual C++'.

    Actually, 'forbidden term' would be more appropriate. My bad.

  3. even on Microsoft Windows by Turn-X+Alphonse · · Score: 2, Funny

    even on Microsoft Windows

    NOT WINDOWS! I was just about to move to it from this Linux thing!

    --
    I like muppets.
  4. Re:Modularised code will always have this problem. by CaptainFork · · Score: 4, Funny
    Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not?

    If so why not? - and if not, why so?

    Why why not but not if not? Why not not?

  5. Re:For those with IE on XP,2003 by smallstepforman · · Score: 2, Funny

    Opera 8.01 works fine. But what else would you expect from Scandinavians.

    --
    Revolution = Evolution
  6. Re:Not just IE by TekBoy · · Score: 2, Funny

    It is sites like that this that make Firefox's Session Saver extension a bad idea. I just had to click it. :-) Then firefox just had to restore it the next time loaded. :-0

    My stupidity squared.

  7. Re:Mods on crack!? by atrocious+cowpat · · Score: 3, Funny
    Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.

    Slander! I only mod people down when I'm off crack!
    --
    sig? Oh, that sig...
  8. Is i my imagination... by MSDos-486 · · Score: 3, Funny

    or does it seem the end of the world will be caused by a buffer overflow?

  9. Re:Modularised code will always have this problem. by Saint+Stephen · · Score: 3, Funny
    Foam at the mouth and fall over backwards. Is he foaming at the mouth to fall over backwards or falling over backwards to foam at the mouth. Tonight 'Spectrum' examines the whole question of frothing and falling, coughing and calling, screaming and bawling, walling and stalling, galling and mauling, palling and hauling, trawling and squalling and zalling. Zalling? Is there a word zalling? If there is what does it mean...if there isn't what does it mean? Perhaps both. Maybe neither. What do I mean by the word mean? What do I mean by the word word, what do I mean by what do I mean, what do I mean by do, and what do I do by mean? What do I do by do by do and what do I do by wasting your time like this? Goodnight
    -- Monty Python
  10. Zlib loaded with Spyware by yajacuk · · Score: 3, Funny
    I ran the AOL Spyware protection twice this week and both times I found spyware in the Zlib library.
    Here is a sample of the Scan log.
    ASP Version: 1.0.77 Definition Date: 01-05-05 Date: 7/6/2005 5:02:02 PM
    Action: Found: c:\Program Files\daimonin\client\zlib.dll
    Spyware Name: Diablo Keys
  11. Re:Modularised code will always have this problem. by Dun+Malg · · Score: 2, Funny
    Of course, the fact that djb writes secure software using exactly that technique means *you* probably need to rethink your assumptions.

    Get a clue, you anonymous turd. DJ Bernstein isn't working under the whip of a corporate master demanding working apps in murderous short timeframes. Furthermore, the existence of one brilliant man who can manage to keep enormous amounts of state in his head and turn out perfect code is not prima facie evidence that all who cannot are somehow lacking.

    Personally, my goal is always perfection. I know it's difficult and I don't always achieve it, but I gotta wonder about people like you who "aim low".

    Who the fuck said anything about "aiming low"? My point is that errors happen and that you can't just browbeat people into not making mistakes. You say it yourself: "I don't always achieve [perfection]".

    Unfortunately, giving people lectures doesn't teach them how to do this.

    THAT WAS EXACTLY MY POINT, JACKASS!

    In an industry with about zero barrier to entry, most software is going to be crap. Most programmers simply don't know what they are doing. But don't let that cloud your thinking. It *is* possible to write secure software exactly like you describe.

    It is possible, but the chaotic way most programming shops are run make it highly unlikely. Overwork, lack of sleep, poor communication, and shifting goals make errors inevitable. One brilliant man sitting down and writing qmail on his own time and at his own pace does not scale to ten overworked regular code grinders trying to crank out two months work in two weeks.

    If you think "writing secure software is impossible", you've already lost

    If you think that's what I said, go back and read it the fuck again. Your reading comprehension is as bad as your superiority complex.

    please get out of the industry, or at least don't write software that deals with network data.

    After you, you arrogant prick.

    --
    If a job's not worth doing, it's not worth doing right.