8295530: Update Zlib Data Compression Library to Version 1.2.13

[sxa]

As per openjdk/jdk11u-dev#1788 which backported this to 11.

Backporting zlib 1.2.13 due to https://nvd.nist.gov/vuln/detail/CVE-2022-37434 (9.8 CVSS score)
As per the JDK11u change this makes the zlib directory in the source identical to the one for JDK17u so I do not anticipate any problems.

I've run a test build on one Linux/mac/windows version and will run the same set of tier1 testing that I did on the 11 PR, plus some others. I'll probably try to run on some other platforms before requesting an integrate, but I'll also need a sponsor to add the appropriate tags to JDK-8295530 so I'm opening this now.

• Tier 1 (Linux/x64): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-64_linux/1019/testReport/
• Tier 1 (macOS/x64): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-64_mac/778/testReport/
• Tier 1 (Windows/x32): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-32_windows/719/testReport/

This is the first time I've backported to 8 with skara - I'm assuming the process is now the same as 11. If not, please let me know and I will adjust accordingly.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8295530: Update Zlib Data Compression Library to Version 1.2.13

Reviewers

• Andrew John Hughes (@gnu-andrew - Reviewer)
• Severin Gehwolf (@jerboaa - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk8u-dev.git pull/277/head:pull/277
$ git checkout pull/277

Update a local copy of the PR:
$ git checkout pull/277
$ git pull https://git.openjdk.org/jdk8u-dev.git pull/277/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 277

View PR using the GUI difftool:
$ git pr show -t 277

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk8u-dev/pull/277.diff

[bridgekeeper]

👋 Welcome back sxa! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 03: Full - Incremental (bc9c3614)
• 02: Full - Incremental (b56e4f3f)
• 01: Full - Incremental (d9c51d9b)
• 00: Full (28d430e5)

[openjdk]

@sxa Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[sxa]

(Note to anyone reading the previous automated comment - the force push only changed the ChangeLog_Java file which was changed on my local file system but hadn't been pushed so shouldn't invalidate anything else above)

[jerboaa]

@sxa Please enable testing on your fork. See Pre-submit test status section. Click on Details to see what needs to be done. Thanks!

[sxa]

@sxa Please enable testing on your fork. See Pre-submit test status section. Click on Details to see what needs to be done. Thanks!

Done - and seems to have passed :-)

[gnu-andrew]

The changes made to zlib.md in the 11u patch need to be made to THIRD_PARTY_README in 8u.

There are currently multiple identical copies of this file across the old subrepositories. I would suggest just updating the top-level one. I'll open a separate bug & PR to remove the duplicates which I don't think are helpful any more.

$ grep 'zlib' $(find -name 'THIRD_PARTY_README')
./THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./corba/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./hotspot/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./jaxp/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./jaxws/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./jdk/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./langtools/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 
./nashorn/THIRD_PARTY_README:%% This notice is provided with respect to zlib v1.2.11, which may be included 

[sxa]

The changes made to zlib.md in the 11u patch need to be made to THIRD_PARTY_README in 8u.

There are currently multiple identical copies of this file across the old subrepositories. I would suggest just updating the top-level one. I'll open a separate bug & PR to remove the duplicates which I don't think are helpful any more.

Thanks - top level one updated to match the current contents at https://www.zlib.net/zlib_license.html (including the initial line containing the version number to be consistent with how it was before).

The rest of the text matches what's in zlib.md

[sxa]

Is there still sufficient runway to get this into 8u372?

[gnu-andrew]

Is there still sufficient runway to get this into 8u372?

I was wondering what your intention was here when I first reviewed it. Integrating this PR will include it in 8u382. We're still taking critical fixes and regression patches for 8u372 for the next few weeks (https://wiki.openjdk.org/display/jdk8u/Main), directly against https://github.com/openjdk/jdk8u

Does this qualify? It's quite a large change to be making at that stage and I'd prefer it went into 8u382.

[gnu-andrew]

Patch now looks good, by the way. I'm just holding off until we decide whether this is the right tree to push to.

[jerboaa]

Does this qualify? It's quite a large change to be making at that stage and I'd prefer it went into 8u382.

+1 It seems 8u382 is sufficient for this?

[sxa]

Does this qualify? It's quite a large change to be making at that stage and I'd prefer it went into 8u382.

The CVE referenced in the description was raised by a customer about JDK17 where it was flagged by the BDBA scanner
While I haven't run an equivalent scan against JDK8u I would expect the same to be true there, so it ultimately depends on whether this high vulnerability is considered a critical enough fix to warrant inclusion in 8u372. It is targetted for 17.0.7 and 11.0.19 based on the bug so getting it into 8u372 would put it into all streams simultaneously, but I'll defer to your judgement as to whether that's a good enough justification.

[gnu-andrew]

I tend to agree it would be better to do this across all JDKs at the same time, but, as explained in e-mail, I'll let Severin have the final ok on this.

If we do move it to 8u372, just close this PR and open the same changes against openjdk/jdk8u instead.

[jerboaa]

I'm thinking this should be fine for 8u382 in July. Which platforms does in-tree zlib affect, Windows only?

[sxa]

For Eclipse Temurin we're using bundled zlib on most platforms for JDK8 so I would expect Linux, AIX and others to be affected too.

[sxa]

Based on the above discussions targetting 8u382 sounds good to me, so are ok to get this tagged appropriately so it can be integrated? (I don't have author privileges so can't tag it myself)

[sxa]

Tier 1 (Linux/x64): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-64_linux/1019/testReport/
Tier 1 (macOS/x64): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-64_mac/778/testReport/
Tier 1 (Windows/x32): https://ci.adoptium.net/job/Test_openjdk8_hs_sanity.openjdk_x86-32_windows/719/testReport/

Also verified with the tier 1 suites on AIX and Solaris x64 and SPARC with this patch on top of the jdk8u codebase which has an additional fix in. No new regressions introduced.

[jerboaa]

This looks OK. I've tagged the bug and let @gnu-andrew approve it. Once that's done feel free to integrate.

[openjdk]

@sxa This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8295530: Update Zlib Data Compression Library to Version 1.2.13

Reviewed-by: andrew, sgehwolf

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 13 new commits pushed to the master branch:

• ca1c3b1: 8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
• de0e5a2: 8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
• ae6405f: 8289301: P11Cipher should not throw out of bounds exception during padding
• ad41d90: 8293232: Fix race condition in pkcs11 SessionManager
• d6f8151: 8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
• a7fb08c: 8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
• 7c5d77c: Merge
• 5806429: 8245654: Add Certigna Root CA
• 3b80e87: 8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
• 7c0d5b4: 8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
• ... and 3 more: https://git.openjdk.org/jdk8u-dev/compare/b51619d24e0643aa0afdba87ac20b371dbb594e8...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@gnu-andrew, @jerboaa) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[sxa]

@gnu-andrew Are you happy to add the fix yes tag to the bug for this to go into 8u382?

[gnu-andrew]

Sorry for the delay in getting back to this, I was away last week.

I'm happier with it being for 8u382 and will approve. Patch itself looks fine with the THIRD_PARTY_README changes now included.

[gnu-andrew]

Sorry for the delay in getting back to this, I was away last week.

I'm happier with it being for 8u382 and will approve. Patch itself looks fine with the THIRD_PARTY_README changes now included.

[gnu-andrew]

Bug approved. If you want to do /integrate, myself or Severin can sponsor.

[sxa]

/integrate

[openjdk]

@sxa
Your change (at version bc9c361) is now ready to be sponsored by a Committer.

[jerboaa]

/sponsor

[openjdk]

Going to push as commit 5dc33f2.
Since your change was applied there have been 13 commits pushed to the master branch:

• ca1c3b1: 8302791: Add specific ClassLoader object to Proxy IllegalArgumentException message
• de0e5a2: 8152432: Implement setting jtreg @requires properties vm.flavor, vm.bits, vm.compMode
• ae6405f: 8289301: P11Cipher should not throw out of bounds exception during padding
• ad41d90: 8293232: Fix race condition in pkcs11 SessionManager
• d6f8151: 8282600: SSLSocketImpl should not use user_canceled workaround when not necessary
• a7fb08c: 8293815: P11PSSSignature.engineUpdate should not print debug messages during normal operation
• 7c5d77c: Merge
• 5806429: 8245654: Add Certigna Root CA
• 3b80e87: 8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
• 7c0d5b4: 8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
• ... and 3 more: https://git.openjdk.org/jdk8u-dev/compare/b51619d24e0643aa0afdba87ac20b371dbb594e8...master

Your commit was automatically rebased without conflicts.

[openjdk]

@jerboaa @sxa Pushed as commit 5dc33f2.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.