zlib-1.3.2

[Douglas R. Reno]

New point version

I got a notification on oss-security about this one from Sam James, who is a developer with Gentoo. There was a security audit performed on zlib and it turned up several issues. I've quoted a copy of the email:

Hello,

Noticed in the (fresh) zlib-1.3.2 release notes [0] that an audit was
completed by 7asecurity [1].

It links to a (short) OSTIF blog post [2] about it as well as the full
report itself [3].

The report identifies the following as vulnerabilities:
* ZLB-01-001 WP2: Heap Buffer Overflow via Legacy gzprintf Implementation (High)
* ZLB-01-002 WP1: Infinite Loop via Arithmetic Shift in crc32_combine64 (Medium)
* ZLB-01-003 WP1: Heap Leak via Uninitialized Memory in inflateCopy (Low)
* ZLB-01-004 WP1: Persistent DoS via Race Condition in fixedtables (Medium)
* ZLB-01-010 WP1: Heap Leak via Uninitialized Memory in deflateCopy (Low)

... and these hardening recommendations:
* ZLB-01-005 WP2: Integer Overflow in Bound Calculations on LLP64 (Low)
* ZLB-01-006 WP2: Silent Data Truncation in Utility APIs on LLP64 (Low)
* ZLB-01-007 WP4: Missing Compiler and Linker Flags in zlib Build (Low)
* ZLB-01-008 WP1: Integer Overflow in Modern zcalloc implementation (Low)
* ZLB-01-009 WP2: Silent Buffer Overrun in inflateBack (Low)

I've not yet made my way through the report. Standard caveats on
severity apply, though.

[0] https://github.com/madler/zlib/releases/tag/v1.3.2
[1] https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
[2] https://ostif.org/zlib-audit-complete/
[3] https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

sam