OSTIF and X41 are excited to announce the completion of our security audit of libjpeg-turbo!

X-41 DSec and OSTIF collaborated in May of 2023 on a source code audit of libjpeg-turbo, the accelerated JPEG image decoding software. 

The audit’s emphasis was on reviewing input validation, memory management practices, and analysis of previously reported bugs. Using dynamic, static, and manual code testing, the audit team analyzed and tested libjpeg-turbo’s source code.

Documented here are the fixes of all three disclosed vulnerabilities and further changes released on 2023-07-03 with version 3.0.0 of libjpeg. 

A big thank you to DRC for implementing the fixes. Per the project’s github sponsorship page, “libjpeg-turbo is one of the few pieces of critical IT infrastructure that is sustained solely through patronage and funded development.” 

X41 noted the libjpeg-turbo library was healthy and following best practices, and recommends further testing on the popular project to minimize and prevent current and future security vulnerabilities. 

Special thanks to the X-41 team along with AWS for funding this audit!

Read the report here.