grpc Update zlib (#31356)

To mitigate CVE-2022-37434

Oct 14 '22 11:10 miklelappo

The committers listed above are authorized under a signed CLA.

:white_check_mark: login: miklelappo / name: Mikhail Lappo (4eadc915f7c31c30f7d6b1b5055729b3ad79a0b6)

Oct 14 '22 11:10 linux-foundation-easycla[bot]

Can't add label...

Oct 14 '22 18:10 miklelappo

@miklelappo Thank you for bringing this to our attention. CC'ing @ZhenLian from the security team.

From the CVE description:

NOTE: only applications that call inflateGetHeader are affected.

gRPC does not directly call inflateGetHeader, but we should update the dependency regardless.

The work for updating the dependency is a bit more involved than updating the submodule alone. See the third_party dependency update instructions here https://github.com/grpc/grpc/tree/master/third_party. A new zlib minor release was put out a few days ago, v1.2.13, we should pin to it.

Oct 19 '22 00:10 drfloob

@drfloob thanks for the hint. I updated grpc_deps.bzl and check_submodules.sh in sanity checks.. Do I need (or can I even run it myself or do I have no access to Google could?) the next steps:

Oct 19 '22 06:10 miklelappo

@ZhenLian android source tree also contains the old zlib version and October security bulletin has no CVE for zlib included. While grpc doesn't directly use this cveed functionality, other packages potentially can (although cs.android.com doesn't find any references), but maybe some 3-rd parties https://cs.android.com/android/platform/superproject/+/master:external/zlib/zlib.h;l=40?q=zlib

Oct 19 '22 07:10 miklelappo

step 4: generate_projects.sh passes too now

Oct 19 '22 08:10 miklelappo

@drfloob thanks for your help! Really appreciate that!

Oct 20 '22 13:10 miklelappo

Is it required to cherry-pick this to v1.50.x branch for the next release?

Oct 24 '22 08:10 AshfaqurIntel

@AshfaqurIntel the release managers for the last four releases (1.47 through 1.50) have been notified, and patch-releases will be available soon.

Nov 09 '22 22:11 drfloob

@drfloob probably a good idea to backport to 1.46.x as well, since this is our LTS branch for C++ and C#.

Nov 10 '22 09:11 jtattermusch

@drfloob probably a good idea to backport to 1.46.x as well, since this is our LTS branch for C++ and C#.

@drfloob Is there any work planned for this in near future?

Dec 09 '22 01:12 frankiefoo-i

I missed this update. Sure, I'll start the backport to 1.46. The backport is done and released in v1.50.0 and v1.49.2.

I'll ping the release managers for v1.48 and v1.47, the commit is in the release branch but the releases were not cut.

Dec 09 '22 01:12 drfloob

@drfloob thanks for your (and the grpc team's!) work on this. Any chance these backports (specifically 1.48.x) will make their way to PyPi soon?

Dec 14 '22 22:12 psfoley

@psfoley it shouldn't be necessary. This affects the the gRPC core library, and gRPC doesn't use the affected APIs. Any zlib compression you do in your Python application will rely on some other zlib (system zlib, maybe?), not the wrapped C library's bundled version.

Dec 15 '22 23:12 drfloob

Quick update: the package builds for 1.46 through 1.48 need to be fixed, the CI system has drifted a bit since then. We're still working on backporting fixes to get those releases out. CC @jtattermusch @gnossen @yashykt.

Dec 19 '22 19:12 drfloob

Update: the 1.46.6 release is available, build issues have been resolved. I've pinged the release managers again for 1.47 and 1.48 again.

Apologies for the delay, gRPC releases are fairly involved processes.

Jan 18 '23 20:01 drfloob

We now have the zlib library upgraded in patch releases from v1.46 onwards. This job is done.

Feb 08 '23 21:02 drfloob

grpc grpc copied to clipboard

Update zlib (#31356)

grpc
grpc copied to clipboard