Linux Compression Format Flaw Found

The bug, which affects the current version of zlib, 1.2.2, can be exploited to create a denial-of-service (DoS) attack, which could crash any application using the library or let the attacker plant code of his own remotely, according to an alert by Danish security firm Secunia. The company rated the zlib vulnerability as "Highly critical," its second-most dire ranking.

A researcher at Gentoo Linux was the first to uncover the vulnerability Wednesday, and posted a warning on his company's Web site.

While no patch is available from the open-source zlib project, commercial Linux vendors have already updated their distributions with version-specific fixes. Debian, FreeBSD, Gentoo, OpenBSD, Red Hat, and SuSE and have all posted patches, for instance.

A similar, although not as dangerous, DoS vulnerability was spotted in the zlib compression format in August 2004, and patched by the 1.2.2 version in October of that year.