7ASecurity is proud to share the results of our security audit of zlib. Zlib is an open source lossless data-compression library for use on virtually any computer hardware and operating system. Thanks to the efforts of the Open Source Technology Improvement Fund and the Sovereign Tech Fund, this project underwent a holistic security review.
Audit Process:
Six auditors on behalf of 7ASecurity performed a whitebox security audit of zlib core, APIs, streams, gzip wrappers, and platform optimizations and assembly. By creating a threat model for zlib, the team familiarized themselves with the codebase and its function. Additionally, the auditors reviewed zlib’s supply chain and build system to make hardening recommendations.
Audit Results:
- 10 Findings with Security Impact, 100% fixed
- 1 High
- 2 Medium
- 2 Low
- 5 Hardening Recommendations
- Custom Threat Model
- Fix Verification
- Recommendations for Future Security Work
The auditor’s report describes the zlib code as “robust and well-engineered,” with many security best practices being implemented. Mark Adler was incredibly responsive and helpful to the audit team and process, and as a result all 10 findings have verified fixes. Please update your version of zlib to take advantage of the efforts of the maintainer and audit team. If you would like to learn more about the zlib project, check out their website.
Thank you to the individuals and groups that made this engagement possible:
- Zlib maintainers and community, especially: Mark Adler
- OSTIF: Amir Montazery, Derek Zimmer, Helen Woeste and Tom Welter
- Sovereign Tech Agency
You can read the Audit Report HERE
You can read OSTIF’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to contactus@ostif.org.
