Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update zlib to 1.2.11 #73355

Closed
doko42 opened this issue Jan 5, 2017 · 15 comments
Closed

update zlib to 1.2.11 #73355

doko42 opened this issue Jan 5, 2017 · 15 comments
Assignees
Labels
3.7 only security fixes extension-modules C modules in the Modules dir

Comments

@doko42
Copy link
Member

doko42 commented Jan 5, 2017

BPO 29169
Nosy @rhettinger, @doko42, @larryhastings, @ned-deily, @vadmium
PRs
  • [3.4] bpo-29169: Update zlib from 1.2.8 to 1.2.11 #3107
  • [3.3] bpo-29169: Update zlib from 1.2.5 to 1.2.11 #3108
  • Files
  • zlib-1.2.10.diff
  • zlib-1.2.11.diff
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/doko42'
    closed_at = <Date 2017-01-31.12:57:27.285>
    created_at = <Date 2017-01-05.15:11:47.395>
    labels = ['extension-modules', '3.7']
    title = 'update zlib to 1.2.11'
    updated_at = <Date 2019-05-10.18:00:41.797>
    user = 'https://github.com/doko42'

    bugs.python.org fields:

    activity = <Date 2019-05-10.18:00:41.797>
    actor = 'ned.deily'
    assignee = 'doko'
    closed = True
    closed_date = <Date 2017-01-31.12:57:27.285>
    closer = 'doko'
    components = ['Extension Modules']
    creation = <Date 2017-01-05.15:11:47.395>
    creator = 'doko'
    dependencies = []
    files = ['46161', '46464']
    hgrepos = []
    issue_num = 29169
    keywords = ['patch']
    message_count = 15.0
    messages = ['284749', '284760', '284769', '284780', '284797', '286523', '286524', '286527', '286529', '286550', '286616', '286625', '286626', '286627', '300373']
    nosy_count = 6.0
    nosy_names = ['rhettinger', 'doko', 'larry', 'ned.deily', 'python-dev', 'martin.panter']
    pr_nums = ['3107', '3108']
    priority = 'normal'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = None
    url = 'https://bugs.python.org/issue29169'
    versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6', 'Python 3.7']

    @doko42
    Copy link
    Member Author

    doko42 commented Jan 5, 2017

    These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib. The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

    Intending to update all active branches. Larry, is it ok to add this before the upcoming 3.4 and 3.5 releases, or should it wait?

    Changes in 1.2.10 (2 Jan 2017)

    • Avoid warnings on snprintf() return value
    • Fix bug in deflate_stored() for zero-length input
    • Fix bug in gzwrite.c that produced corrupt gzip files
    • Remove files to be installed before copying them in Makefile.in
    • Add warnings when compiling with assembler code

    Changes in 1.2.9 (31 Dec 2016)

    • Fix contrib/minizip to permit unzipping with desktop API [Zouzou]
    • Improve contrib/blast to return unused bytes
    • Assure that gzoffset() is correct when appending
    • Improve compress() and uncompress() to support large lengths
    • Fix bug in test/example.c where error code not saved
    • Remedy Coverity warning [Randers-Pehrson]
    • Improve speed of gzprintf() in transparent mode
    • Fix inflateInit2() bug when windowBits is 16 or 32
    • Change DEBUG macro to ZLIB_DEBUG
    • Avoid uninitialized access by gzclose_w()
    • Allow building zlib outside of the source directory
    • Fix bug that accepted invalid zlib header when windowBits is zero
    • Fix gzseek() problem on MinGW due to buggy _lseeki64 there
    • Loop on write() calls in gzwrite.c in case of non-blocking I/O
    • Add --warn (-w) option to ./configure for more compiler warnings
    • Reject a window size of 256 bytes if not using the zlib wrapper
    • Fix bug when level 0 used with Z_HUFFMAN or Z_RLE
    • Add --debug (-d) option to ./configure to define ZLIB_DEBUG
    • Fix bugs in creating a very large gzip header
    • Add uncompress2() function, which returns the input size used
    • Assure that deflateParams() will not switch functions mid-block
    • Dramatically speed up deflation for level 0 (storing)
    • Add gzfread(), duplicating the interface of fread()
    • Add gzfwrite(), duplicating the interface of fwrite()
    • Add deflateGetDictionary() function
    • Use snprintf() for later versions of Microsoft C
    • Fix *Init macros to use z_ prefix when requested
    • Replace as400 with os400 for OS/400 support [Monnerat]
    • Add crc32_z() and adler32_z() functions with size_t lengths
    • Update Visual Studio project files [AraHaan]

    @doko42 doko42 added the 3.7 only security fixes label Jan 5, 2017
    @doko42 doko42 self-assigned this Jan 5, 2017
    @doko42 doko42 added the extension-modules C modules in the Modules dir label Jan 5, 2017
    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Jan 5, 2017

    New changeset ed172054a812 by doko in branch '2.7':

    @larryhastings
    Copy link
    Contributor

    I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago. Do you think the CVEs are bad enough to warrant cherry-picking this? A quick google suggests they were all low severity:

    http://www.openwall.com/lists/oss-security/2016/12/05/21

    I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, probably in six months.

    @rhettinger
    Copy link
    Contributor

    I'm inclined to not cherry-pick this, which means it'd
    ship in 3.5.4 and 3.4.7, probably in six months.

    I concur. Looking at the CVEs, these all seem minor and not exploitable through the Python interface.

    @doko42
    Copy link
    Member Author

    doko42 commented Jan 6, 2017

    ok, will wait with the commits until after the releases.

    @doko42
    Copy link
    Member Author

    doko42 commented Jan 31, 2017

    plus the update to 1.2.11

    @doko42 doko42 changed the title update zlib to 1.2.10 update zlib to 1.2.11 Jan 31, 2017
    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Jan 31, 2017

    New changeset 0136c99a9795 by doko in branch '2.7':

    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Jan 31, 2017

    New changeset c8c1f08428cb by doko in branch '3.5':

    @doko42
    Copy link
    Member Author

    doko42 commented Jan 31, 2017

    now updated all active branches to 1.2.11

    @doko42 doko42 closed this as completed Jan 31, 2017
    @vadmium
    Copy link
    Member

    vadmium commented Jan 31, 2017

    Misc/NEWS (and the commit message) say 1.2.10. Perhaps you meant 1.2.11?

    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Feb 1, 2017

    New changeset 7b279c263708 by doko in branch '3.5':
    Issue bpo-29169: Fix NEWS entry.
    https://hg.python.org/cpython/rev/7b279c263708

    @larryhastings
    Copy link
    Contributor

    New changeset d0e61bd by larryhastings (Victor Stinner) in branch '3.4':
    bpo-29169: Update zlib to 1.2.11 (bpo-3107)
    d0e61bd

    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Apr 9, 2022

    New changeset 7c1f136 by doko in branch '3.6':
    Issue bpo-29169: Fix NEWS entry.
    7c1f136

    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Apr 9, 2022

    New changeset 7c1f136 by doko in branch '3.5':
    Issue bpo-29169: Fix NEWS entry.
    7c1f136

    @1762cc99-3127-4a62-9baf-30c3d0f51ef7
    Copy link
    Mannequin

    python-dev mannequin commented Apr 9, 2022

    New changeset 7c1f136 by doko in branch 'master':
    Issue bpo-29169: Fix NEWS entry.
    7c1f136

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 only security fixes extension-modules C modules in the Modules dir
    Projects
    None yet
    Development

    No branches or pull requests

    4 participants