Discovering copies of zlib

submited by
Style Pass
2024-07-10 14:00:05

zlib is a very widely used compression library with occasional security problems. This document describes how to identify program binaries which include statically linked copies of zlib, and thus may need a security update.

The zlib program code contains several data tables whose bit patterns are characteristic for the library. The contents of one of these tables is deliberately changed for each new version by the zlib maintainer. As a result, these bit patterns can be used to locate likely statically linked copies of zlib (including the version number) in program binaries, even if copyright notices have been removed.

These bit patterns are based on data constant, not machine code sequences. As a result, at most two signatures instances are needed per bit pattern (for big-endian and little-endian machines), and not one signature for each architecture and compiler combination.

The fingerprint databases published here use the free antivirus scannner ClamAV. Note that this does not imply that zlib is a virus or some other kind of malware. ClamAV is just the right tool to scan a large number of files for a long list of patterns.

Leave a Comment