Skip to content

zlib

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

zlib

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
001-lock-ownership-check-can-delete-another-process-s-lock.md
001-lock-ownership-check-can-delete-another-process-s-lock.md
 
 
001-lock-ownership-check-can-delete-another-process-s-lock.patch
001-lock-ownership-check-can-delete-another-process-s-lock.patch
 
 
002-user-controlled-path-enables-symlink-clobbering-of-sidecar-f.md
002-user-controlled-path-enables-symlink-clobbering-of-sidecar-f.md
 
 
002-user-controlled-path-enables-symlink-clobbering-of-sidecar-f.patch
002-user-controlled-path-enables-symlink-clobbering-of-sidecar-f.patch
 
 
003-zip64-extra-field-parser-reads-past-declared-field.md
003-zip64-extra-field-parser-reads-past-declared-field.md
 
 
003-zip64-extra-field-parser-reads-past-declared-field.patch
003-zip64-extra-field-parser-reads-past-declared-field.patch
 
 
004-global-comment-api-dereferences-null-buffer.md
004-global-comment-api-dereferences-null-buffer.md
 
 
004-global-comment-api-dereferences-null-buffer.patch
004-global-comment-api-dereferences-null-buffer.patch
 
 
005-unchecked-length-prefixed-read-overflows-caller-buffer.md
005-unchecked-length-prefixed-read-overflows-caller-buffer.md
 
 
005-unchecked-length-prefixed-read-overflows-caller-buffer.patch
005-unchecked-length-prefixed-read-overflows-caller-buffer.patch
 
 
006-failed-length-read-can-use-uninitialized-size-t-value.md
006-failed-length-read-can-use-uninitialized-size-t-value.md
 
 
006-failed-length-read-can-use-uninitialized-size-t-value.patch
006-failed-length-read-can-use-uninitialized-size-t-value.patch
 
 
007-archive-paths-can-escape-extraction-directory.md
007-archive-paths-can-escape-extraction-directory.md
 
 
007-archive-paths-can-escape-extraction-directory.patch
007-archive-paths-can-escape-extraction-directory.patch
 
 
009-extra-field-parser-trusts-attacker-controlled-lengths-and-ov.md
009-extra-field-parser-trusts-attacker-controlled-lengths-and-ov.md
 
 
009-extra-field-parser-trusts-attacker-controlled-lengths-and-ov.patch
009-extra-field-parser-trusts-attacker-controlled-lengths-and-ov.patch
 
 
011-trailer-crc-is-taken-from-input-without-validation.md
011-trailer-crc-is-taken-from-input-without-validation.md
 
 
011-trailer-crc-is-taken-from-input-without-validation.patch
011-trailer-crc-is-taken-from-input-without-validation.patch
 
 
015-unqualified-zlib1-dll-import-crosses-library-loading-trust-b.md
015-unqualified-zlib1-dll-import-crosses-library-loading-trust-b.md
 
 
015-unqualified-zlib1-dll-import-crosses-library-loading-trust-b.patch
015-unqualified-zlib1-dll-import-crosses-library-loading-trust-b.patch
 
 
019-fixed-huffman-table-initialization-races-across-threads.md
019-fixed-huffman-table-initialization-races-across-threads.md
 
 
019-fixed-huffman-table-initialization-races-across-threads.patch
019-fixed-huffman-table-initialization-races-across-threads.patch
 
 
020-insecure-fallback-overflows-gzprintf-buffer.md
020-insecure-fallback-overflows-gzprintf-buffer.md
 
 
020-insecure-fallback-overflows-gzprintf-buffer.patch
020-insecure-fallback-overflows-gzprintf-buffer.patch
 
 
021-zip-encryption-uses-legacy-pkware-cipher.md
021-zip-encryption-uses-legacy-pkware-cipher.md
 
 
021-zip-encryption-uses-legacy-pkware-cipher.patch
021-zip-encryption-uses-legacy-pkware-cipher.patch
 
 
022-encrypted-header-leaks-crc-bytes-for-password-verification.md
022-encrypted-header-leaks-crc-bytes-for-password-verification.md
 
 
022-encrypted-header-leaks-crc-bytes-for-password-verification.patch
022-encrypted-header-leaks-crc-bytes-for-password-verification.patch
 
 
023-negative-file-length-drives-unchecked-allocation-size.md
023-negative-file-length-drives-unchecked-allocation-size.md
 
 
023-negative-file-length-drives-unchecked-allocation-size.patch
023-negative-file-length-drives-unchecked-allocation-size.patch
 
 
024-short-filename-suffix-check-reads-before-argument-buffer.md
024-short-filename-suffix-check-reads-before-argument-buffer.md
 
 
024-short-filename-suffix-check-reads-before-argument-buffer.patch
024-short-filename-suffix-check-reads-before-argument-buffer.patch
 
 
026-unsynchronized-lazy-huffman-table-initialization.md
026-unsynchronized-lazy-huffman-table-initialization.md
 
 
026-unsynchronized-lazy-huffman-table-initialization.patch
026-unsynchronized-lazy-huffman-table-initialization.patch
 
 
028-negative-local-header-offset-written-after-signed-overflow.md
028-negative-local-header-offset-written-after-signed-overflow.md
 
 
028-negative-local-header-offset-written-after-signed-overflow.patch
028-negative-local-header-offset-written-after-signed-overflow.patch
 
 
README.md
README.md
 
 

README.md

zlib Audit Findings

Security audit of the zlib compression library and its bundled ports. Each finding includes a detailed write-up and a patch.

Summary

Total findings: 18 -- High: 8, Medium: 10, Low: 0

Findings

minizip / zip extraction

# Finding Severity
004 Global comment API NULL buffer dereference Medium
007 Archive paths can escape extraction directory High
028 Repaired archive can claim omitted oversized entry data Medium

Zip64 / extra fields

# Finding Severity
003 ZIP64 extra field parser overreads declared subfield High
009 Extra-field parser trusts attacker-controlled lengths High

ZIP encryption

# Finding Severity
021 ZIP encryption relies on legacy PKWARE cipher High
022 Encrypted header leaks CRC bytes for offline password checks Medium

gzip stream / trailer

# Finding Severity
011 Trailer CRC validation missing in joined members Medium
020 Insecure vsprintf fallback overflows gzprintf buffer High

iostream2 stream parsing

# Finding Severity
005 Unchecked length-prefixed read overflows caller buffer High
006 Failed length read can use uninitialized size_t value High

Locking and file handling

# Finding Severity
001 Lock ownership check can delete another process's lock Medium
023 Negative file length drives unchecked allocation size Medium
024 Short filename suffix check reads before argument buffer High

Symlink and path traversal

# Finding Severity
002 User-controlled sidecar path allows symlink clobbering Medium

Concurrency

# Finding Severity
019 Fixed Huffman table initialization races across threads Medium
026 Unsynchronized lazy Huffman table initialization in blast Medium

DLL / Windows loading

# Finding Severity
015 Unqualified ZLIB1.dll import crosses library-loading trust boundary Medium