phobos icon indicating copy to clipboard operation
phobos copied to clipboard

Published 20 hours ago verified publisher icon dlang

Fix Issue 23288 - zlib: Fix potential buffer overflow

Open ibara opened this issue 1 year ago • 5 comments

Hello --

As mentioned in the bug report, this fixes a potential buffer overflow in zlib. It is a combined diff from https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 and https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

I wasn't sure whether this should go in master or stable, so I chose master. In any event, we probably want this.

ibara avatar Aug 08 '22 19:08 ibara

Thanks for your pull request and interest in making D better, @ibara! We are looking forward to reviewing it, and you should be hearing from a maintainer soon. Please verify that your PR follows this checklist:

  • My PR is fully covered with tests (you can see the coverage diff by visiting the details link of the codecov check)
  • My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
  • I have provided a detailed rationale explaining my changes
  • New or modified functions have Ddoc comments (with Params: and Returns:)

Please see CONTRIBUTING.md for more information.

If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.

Bugzilla references

Auto-close Bugzilla Severity Description
23288 normal zlib: Fix potential buffer overflow

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub run digger -- build "master + phobos#8528"

dlang-bot avatar Aug 08 '22 19:08 dlang-bot

Is this part of a zlib release?

ibuclaw avatar Aug 08 '22 19:08 ibuclaw

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

ibara avatar Aug 08 '22 19:08 ibara

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?

ibuclaw avatar Aug 09 '22 13:08 ibuclaw

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?

Zlib does not have a good history of timely releases for security critical items: https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-cve-2018-25032/

ibara avatar Aug 09 '22 15:08 ibara

Why are we not using a git submodule and keep a copy of the original?

I'm not sure why. There are some diffs to upstream zlib in Phobos zlib.

ibara avatar Aug 10 '22 15:08 ibara