-
Notifications
You must be signed in to change notification settings - Fork 4
Results
Mingye Wang edited this page Dec 22, 2019
·
27 revisions
This page contains a list of known audits (generally, though not necessarily, fuzzing) of compression codecs, conducted both as part of this project and by others. It will probably never be exhaustive, but we will try to come as close as we can.
Possible values for the status column are:
- Unknown — there is insufficient information available to come to a conclusion. You can think of it as a "TODO" item for us to fuzz, or "Help Wanted".
- OK — the implementation has been tested and no issues were found. Note that this doesn't necessarily mean no issues were present, merely that we have no security-related grounds to recommend against using the codec.
- Undisclosed — vulnerabilities exist, but have not yet been disclosed to anyone other than the author.
- Vulnerable — vulnerabilities have been publicly disclosed, but the code has not been fixed yet.
- Abandoned — there are known vulnerablities, but the project is no longer active and is unlikely to receive any security fixes.
Note that "OK" doesn't mean "no issues", it means there has been at least one attempt at fuzzing, and that there are currently no known issues.
| Codec | Status | Results | |||
| Reported | Issues found? | Fixed | Credit | ||
| Apple API | Unknown | ||||
| BALZ | Unknown | ||||
| BriefLZ | OK | ||||
| Brotli | OK | ||||
| BSC | Undisclosed | 2015-11-16 | Yes | m^2 | |
| bzip2 | OK | Unknown | No | N/A | Hanno Böck |
| CRUSH | Unknown | ||||
| CSC | 2015-10-04 | Yes | 2015-12-29 | Evan Nemerson | |
| 2016-01-06 | Yes | 2016-01-11 | Evan Nemerson | ||
| libdeflate | Unknown | ||||
| DENSITY | Vulnerable | 2015-11-03 | Yes | m^2 | |
| Doboz | Vulnerable | 2015-11-21 | Yes | None yet | Evan Nemerson |
| FastARI | Unknown | ||||
| FastLZ | OK | 2015-11-20 | No | N/A | Evan Nemerson |
| FreeArc | Unknown | ||||
| Gipfeli | Unknown | ||||
| GLZA | Unknown | ||||
| Heatshrink | Unknown | ||||
| igzip | Unknown | ||||
| IPP | Unknown | ||||
| LZ4 | OK | ||||
| LZ5 | OK | 2015-12-05 | Yes | 2015-12-05 | m^3 |
| 2015-12-28 | Yes | 2016-01-04 | m^3 | ||
| lzcomp | Unknown | ||||
| LZF | Unknown | ||||
| LZG | Unknown | ||||
| LZHAM | Undisclosed | 2015-11-25 | Yes | No | Evan Nemerson |
| LZMAT | Abandoned | 2013-09-11 | Yes | Evan Nemerson | |
| LZJB | Unknown | ||||
| lzjb-stream | Unknown | ||||
| LZMA | Unknown | ||||
| LZO | Unknown | ||||
| LZO Professional | Unknown | ||||
| LZSSE | Unknown | ||||
| LzTurbo | Unknown | ||||
| MCM | Unknown | ||||
| ms-compress | Unknown | ||||
| ncompress | Unknown | ||||
| Oodle | Unknown | ||||
| Pithy | Abandoned | 2015-11-26 | Yes | Evan Nemerson | |
| QuickLZ | Unknown | ||||
| SCZ | Unknown | ||||
| SLZ | Unknown | ||||
| Snappy | Unknown | ||||
| szip | Unknown | ||||
| wfLZ | Unknown | ||||
| wimlib | Unknown | ||||
| Windows API | Unknown | ||||
| yalz77 | OK | 2015-09-18 | Yes | 2015-09-18 | Evan Nemerson |
| zlib | OK | Unknown | No | N/A | Hanno Böck |
| zlib-ng | Unknown | ||||
| zling | OK | 2015-02-11 | Yes | 2015-12-24 | Evan Nemerson |
| Zopfli | Unknown | ||||
| zpaq | Undisclosed | 2015-02-11 | Yes | 2015-02-18 | Evan Nemerson |
| 2015-11-17 | Yes | m^2 | |||
| zstd | OK | 2015-10-13 | Yes | 2015-10-13 | Evan Nemerson |
| 2015-11-16 | Yes | ? | m^2 | ||
[1] ZPAQ allows the user to embed a decompressor written in ZPAQL in the archive. This lets people experiment with new algorithms while maintaining compatibility with stock ZPAQ, but it means it is possible to create a decompressor with an infinite loop, and it is impossible for ZPAQ to detect.