Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update binary builds to use zlib 1.2.13 #98689

Closed
gpshead opened this issue Oct 26, 2022 · 2 comments
Closed

Update binary builds to use zlib 1.2.13 #98689

gpshead opened this issue Oct 26, 2022 · 2 comments
Labels
3.10 only security fixes 3.11 only security fixes 3.12 only security fixes OS-windows release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue

Comments

@gpshead
Copy link
Member

gpshead commented Oct 26, 2022
edited by bedevere-bot
Loading

A new version of zlib is out: 1.2.13 - https://zlib.net/

zlib 1.2.12 has CVE-2022-37434:
https://www.openwall.com/lists/oss-security/2022/08/09/1

but... we do not appear to call the vulnerable inflateGetHeader API. So this is more of a thing we just need to do before the next round of binary builds rather than an urgent new windows binary release update as 1.2.12 was.

$ grep -i -c inflateGetHeader Modules/zlibmodule.c 
0

Maybe this doesn't deserve the type-security label, but so long as our binary builds link with 1.2.12 people will ask us about that CVE.
@gpshead gpshead added type-bug An unexpected behavior, bug, or error type-security A security issue OS-windows release-blocker 3.11 only security fixes 3.10 only security fixes 3.9 only security fixes 3.12 only security fixes labels Oct 26, 2022
zware added a commit to python/cpython-source-deps that referenced this issue Nov 1, 2022
@zware
Import zlib 1.2.13 from https://zlib.net/zlib-1.2.13.tar.gz
9071e5a 
Ref python/cpython#98689
@bedevere-bot bedevere-bot mentioned this issue Nov 1, 2022
Merged
zware added a commit to zware/cpython that referenced this issue Nov 1, 2022
@zware
pythongh-98689: Update Windows builds to zlib 1.2.13
5feb621
zware added a commit that referenced this issue Nov 1, 2022
@zware
gh-98689: Update Windows builds to zlib v1.2.13 (GH-98968)
c085974
@bedevere-bot bedevere-bot mentioned this issue Nov 1, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Nov 1, 2022
@zware @miss-islington
pythongh-98689: Update Windows builds to zlib v1.2.13 (pythonGH-98968)
f8861c2 
(cherry picked from commit c085974)

Co-authored-by: Zachary Ware <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Nov 1, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Nov 1, 2022
@zware @miss-islington
pythongh-98689: Update Windows builds to zlib v1.2.13 (pythonGH-98968)
df99ace 
(cherry picked from commit c085974)

Co-authored-by: Zachary Ware <[email protected]>
@zware zware removed the 3.9 only security fixes label Nov 1, 2022
@zware
Copy link
Member

zware commented Nov 1, 2022

Since we no longer distribute binaries for 3.9 or before (and aren't actually vulnerable anyway), I don't think we should backport further than 3.10.

miss-islington added a commit that referenced this issue Nov 1, 2022
@miss-islington @zware
gh-98689: Update Windows builds to zlib v1.2.13 (GH-98968)
a2d4537 
(cherry picked from commit c085974)

Co-authored-by: Zachary Ware <[email protected]>
miss-islington added a commit that referenced this issue Nov 1, 2022
@miss-islington @zware
gh-98689: Update Windows builds to zlib v1.2.13 (GH-98968)
cd6655a 
(cherry picked from commit c085974)

Co-authored-by: Zachary Ware <[email protected]>
@zware
Copy link
Member

zware commented Nov 1, 2022

Done in:

@zware zware closed this as completed Nov 1, 2022
Repository owner moved this from Todo to Done in Release and Deferred blockers 🚫 Nov 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.10 only security fixes 3.11 only security fixes 3.12 only security fixes OS-windows release-blocker type-bug An unexpected behavior, bug, or error type-security A security issue
Projects
Release and Deferred blockers 🚫
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gpshead @zware