A severe global buffer overflow vulnerability has been discovered in the zlib untgz utility version 1.3.1.2. Allowing attackers to corrupt memory and potentially execute malicious code through specially crafted command-line input.
The security flaw resides in the TGZfname() function of the untgz utility, where an unbounded strcpy() call processes user-supplied archive names without any length validation.
The vulnerability occurs when the utility copies attacker-controlled input from the command line into a fixed-size static global buffer of only 1,024 bytes.
Technical Details
The root cause stems from poor input handling: the archive name is derived directly from the argv[] parameters and copied into a global static array without bounds checking.
This overflow occurs immediately upon function entry, before any archive parsing or validation. Making the vulnerability trivially exploitable through command-line arguments alone.
| Attribute | Details |
|---|---|
| CVE ID | Not yet assigned |
| Affected Software | zlib untgz utility |
| Affected Version | v1.3.1.2 |
| Vulnerability Type | Global Buffer Overflow |
| CWE | CWE-120 (Buffer Copy without Checking Size of Input) |
| Attack Vector | Command-line input |
| Impact | Denial of Service, Memory Corruption, Potential Code Execution |
Security researchers demonstrated that supplying an archive name exceeding 1,024 bytes triggers an out-of-bounds write past the buffer’s end, leading to memory corruption.
The potential impacts include denial-of-service crashes, corruption of adjacent global memory objects, and undefined behavior.
More critically, depending on compiler settings, system architecture, build flags, and memory layout, attackers may be able to execute code.
Researchers successfully triggered the vulnerability using AddressSanitizer (ASAN) by invoking untgz with a 4,096-byte filename argument.
The ASAN output confirmed a global buffer overflow caused by a write of 2,001 bytes to the vulnerable memory address.
Because the overflow affects global memory rather than stack memory, the corruption persists beyond the function scope and can influence subsequent program behavior.
The vulnerability requires no special privileges and has low attack complexity, making it particularly dangerous for systems using the affected zlib untgz utility.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
