A severe buffer overflow vulnerability has been discovered in the zlib untgz utility, affecting version 1.3.1.2, allowing attackers to trigger memory corruption via maliciously crafted command-line arguments.
The vulnerability resides in the TGZfname() function, where an unbounded strcpy() call copies user-supplied archive names directly into a fixed-size global buffer of 1024 bytes without any length validation.
When an attacker supplies an archive name exceeding 1024 bytes, the utility writes data beyond the buffer boundaries, causing a global buffer overflow.
What makes this flaw particularly concerning is its trivial exploitability. The vulnerable code executes before any archive parsing or validation, meaning attackers can trigger the overflow by providing a long filename as a command-line argument, with no complex exploitation required.
The root cause stems from several coding weaknesses: the archive name is derived directly from argv[] without sanitization, no bounds checking validates the input length before copying, and the buffer is a global static array rather than stack-allocated memory. The overflow occurs immediately upon function entry.
Security researchers at SEC demonstrated the vulnerability using AddressSanitizer (ASAN), which detected a global buffer overflow when the untgz utility processed a 4096-byte input string.
The ASAN output confirmed a write of 2001 bytes at the vulnerable memory address, with the stack trace pointing to the strcpy() call at line 136 of untgz.c.
The potential impact ranges from denial-of-service crashes to memory corruption of adjacent global objects and undefined behavior.
In certain conditions, depending on the compiler, architecture, build flags, and memory layout, attackers could potentially achieve arbitrary code execution.
Since the overflow affects global memory, corruption may persist and influence later program behavior.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.