[CDRIVER-4624] Update zlib to 1.2.13+ Created: 25/Apr/23  Updated: 28/Oct/23  Resolved: 02/May/23

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.22.1
Fix Version/s: 1.24.0

Type: Improvement Priority: Unknown
Reporter: John Becker Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related

 Description   

The bundled version zlib 1.2.12 is outdated and is affected by a known vulnerability, CVE-2018-25032:

https://nvd.nist.gov/vuln/detail/CVE-2018-25032

The changelog of the recently released zlib 1.2.13 recommends to update.
Quote from https://zlib.net/

Version 1.2.13 has these key updates from 1.2.12:

  • Fix a bug when getting a gzip header extra field with inflateGetHeader(). This remedies CVE-2022-37434.
  • Fix a bug in block type selection when Z_FIXED used. Now the smallest block type is selected, for better compression.
  • Fix a configure issue that discarded the provided CC definition.
  • Correct incorrect inputs provided to the CRC functions. This mitigates a bug in Java.
  • Repair prototypes and exporting of the new CRC functions.
  • Fix inflateBack to detect invalid input with distances too far.

Due to the first bug fix, any installations of 1.2.12 or earlier should be replaced with 1.2.13.



 Comments   
Comment by Githook User [ 01/May/23 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-4624 upgrade zlib 1.2.12 to 1.2.13 (#1252)

  • add zlib-1.2.13
  • replace references of zlib-1.2.12 with zlib-1.2.13
Comment by Kevin Albertson [ 01/May/23 ]

Thank you for the report.

https://nvd.nist.gov/vuln/detail/CVE-2022-37434 notes:

only applications that call inflateGetHeader are affected.

I expect the C driver is not impacted by this issue. The C driver does not call `inflateGetHeader`.

Regardless, upgrading to zlib 1.2.13 seems like an improvement.

Generated at Wed Feb 07 21:21:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.