Hello, Noticed in the (fresh) zlib-1.3.2 release notes [0] that an audit was completed by 7asecurity [1].
It links to a (short) OSTIF blog post [2] about it as well as the full report itself [3]. The report identifies the following as vulnerabilities: * ZLB-01-001 WP2: Heap Buffer Overflow via Legacy gzprintf Implementation (High) * ZLB-01-002 WP1: Infinite Loop via Arithmetic Shift in crc32_combine64 (Medium) * ZLB-01-003 WP1: Heap Leak via Uninitialized Memory in inflateCopy (Low) * ZLB-01-004 WP1: Persistent DoS via Race Condition in fixedtables (Medium) * ZLB-01-010 WP1: Heap Leak via Uninitialized Memory in deflateCopy (Low) ... and these hardening recommendations: * ZLB-01-005 WP2: Integer Overflow in Bound Calculations on LLP64 (Low) * ZLB-01-006 WP2: Silent Data Truncation in Utility APIs on LLP64 (Low) * ZLB-01-007 WP4: Missing Compiler and Linker Flags in zlib Build (Low) * ZLB-01-008 WP1: Integer Overflow in Modern zcalloc implementation (Low) * ZLB-01-009 WP2: Silent Buffer Overrun in inflateBack (Low) I've not yet made my way through the report. Standard caveats on severity apply, though. [0] https://github.com/madler/zlib/releases/tag/v1.3.2 [1] https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/ [2] https://ostif.org/zlib-audit-complete/ [3] https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf sam
signature.asc
Description: PGP signature
