miniz-cpp icon indicating copy to clipboard operation
miniz-cpp copied to clipboard

Published 20 hours ago verified publisher icon tfussell

Based on old upstream miniz version with security vulnerabilities

Open cleeus opened this issue 4 years ago • 3 comments

miniz-cpp is based on an old version of zlib/minizip and contains security vulnerabilities. See this example/failing test here: https://github.com/cleeus/miniz-cpp/commit/d2339317086cb6398987bf34f04895ddaa9ba30a

I understand that this project is not in active development but it would be good to point this out in the README, otherwise this code might end up in critical code paths (and it probably alread has). There is a modern, well maintained version of minizip in https://github.com/nmoinvaz/minizip.

cleeus avatar Oct 21 '20 05:10 cleeus

This is a file that crashes with a heap corruption when any of the contained files are decompressed: id_000003.zip

cleeus avatar Oct 22 '20 04:10 cleeus

miniz-cpp is actually not based on any of zlib/minizip, but on miniz. miniz is an independent implementation of zlib compression algorithm.

but code updates from upstream miniz is needed anyway...

harry75369 avatar Dec 14 '20 13:12 harry75369

Thanks for the correction, I confused the two since the code looks so similar. I changed the issue title accordingly.

Is this the authoritative upstream? https://github.com/richgel999/miniz

cleeus avatar Dec 16 '20 06:12 cleeus