[Zlib_jll] Update to v1.2.12+3

[giordano]

Follow up to JuliaPackaging/Yggdrasil#4692.

Note: this is the first build of the real upstream version 1.2.12 which was
released a few days ago.

Usual memo to self:

• update the version number in stdlib/Zlib_jll/Project.toml
• update the version number in deps/zlib.version
• refresh checksums with make -f contrib/refresh_checksums.mk -j zlib

CC: @eschnett

[eschnett]

This is a security update for zlib. It would make sense to backport these changes.

[eschnett]

How is backporting handled? Do people scan closed PRs for backport tags?

[giordano]

I believe @KristofferC has a script which does that automatically

[nsslh]

Please add the security label.

Edit: @KristofferC I suggested this based on Discourse discussion where you mentioned that this could be considered a security update. I guess you're referring to the out-of-bounds fix, although I can't find a CVE for it.

Edit: Found it. I think it's CVE-2018-25032 [High].

[fxcoudert]

@giordano quick question: why is ZLIB_VER in deps/Versions.make still 1.2.11? Is that a mistake that should be updated, or should that line be removed entirely? I do not understand the difference between deps/Versions.make and deps/zlib.version?

[giordano]

That's a good question to which I don't have a definitive answer. deps/zlib.mk fetches the source with the function git-external:

julia/deps/zlib.mk

Line 5 in dea9805

$(eval $(call git-external,zlib,ZLIB,,,$(SRCCACHE)))

which reads deps/zlib.version and uses the variables defined there:

julia/deps/tools/git-external.mk

Lines 24 to 26 in dea9805

	include $$(SRCDIR)/$1.version
	$2_SHA1 := $$(strip $$($2_SHA1))
	$2_BRANCH := $$(strip $$($2_BRANCH))

So I think that the version number in deps/Versions.make is not really used, but judging by the comments at the top of the file the variable still needs to be defined?