Issue 29169: update zlib to 1.2.11

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/73355

classification

Title:	update zlib to 1.2.11
Type:		Stage:	resolved
Components:	Extension Modules	Versions:	Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:	doko	Nosy List:	doko, larry, martin.panter, ned.deily, python-dev, rhettinger
Priority:	normal	Keywords:	patch

Created on 2017-01-05 15:11 by doko, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
zlib-1.2.10.diff	doko, 2017-01-05 15:11
zlib-1.2.11.diff	doko, 2017-01-31 12:30		review

Pull Requests
URL	Status	Linked	Edit
PR 3107	merged	vstinner, 2017-08-16 15:37
PR 3108	closed	vstinner, 2017-08-16 15:42

Messages (15)
msg284749 - (view)	Author: Matthias Klose (doko) *	Date: 2017-01-05 15:11
These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib. The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843. Intending to update all active branches. Larry, is it ok to add this before the upcoming 3.4 and 3.5 releases, or should it wait? Changes in 1.2.10 (2 Jan 2017) - Avoid warnings on snprintf() return value - Fix bug in deflate_stored() for zero-length input - Fix bug in gzwrite.c that produced corrupt gzip files - Remove files to be installed before copying them in Makefile.in - Add warnings when compiling with assembler code Changes in 1.2.9 (31 Dec 2016) - Fix contrib/minizip to permit unzipping with desktop API [Zouzou] - Improve contrib/blast to return unused bytes - Assure that gzoffset() is correct when appending - Improve compress() and uncompress() to support large lengths - Fix bug in test/example.c where error code not saved - Remedy Coverity warning [Randers-Pehrson] - Improve speed of gzprintf() in transparent mode - Fix inflateInit2() bug when windowBits is 16 or 32 - Change DEBUG macro to ZLIB_DEBUG - Avoid uninitialized access by gzclose_w() - Allow building zlib outside of the source directory - Fix bug that accepted invalid zlib header when windowBits is zero - Fix gzseek() problem on MinGW due to buggy _lseeki64 there - Loop on write() calls in gzwrite.c in case of non-blocking I/O - Add --warn (-w) option to ./configure for more compiler warnings - Reject a window size of 256 bytes if not using the zlib wrapper - Fix bug when level 0 used with Z_HUFFMAN or Z_RLE - Add --debug (-d) option to ./configure to define ZLIB_DEBUG - Fix bugs in creating a very large gzip header - Add uncompress2() function, which returns the input size used - Assure that deflateParams() will not switch functions mid-block - Dramatically speed up deflation for level 0 (storing) - Add gzfread(), duplicating the interface of fread() - Add gzfwrite(), duplicating the interface of fwrite() - Add deflateGetDictionary() function - Use snprintf() for later versions of Microsoft C - Fix *Init macros to use z_ prefix when requested - Replace as400 with os400 for OS/400 support [Monnerat] - Add crc32_z() and adler32_z() functions with size_t lengths - Update Visual Studio project files [AraHaan]
msg284760 - (view)	Author: Roundup Robot (python-dev)	Date: 2017-01-05 16:26
New changeset ed172054a812 by doko in branch '2.7': - Issue #29169: Update zlib to 1.2.10. https://hg.python.org/cpython/rev/ed172054a812
msg284769 - (view)	Author: Larry Hastings (larry) *	Date: 2017-01-05 19:53
I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago. Do you think the CVEs are bad enough to warrant cherry-picking this? A quick google suggests they were all low severity: http://www.openwall.com/lists/oss-security/2016/12/05/21 I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, probably in six months.
msg284780 - (view)	Author: Raymond Hettinger (rhettinger) *	Date: 2017-01-05 22:37
> I'm inclined to not cherry-pick this, which means it'd > ship in 3.5.4 and 3.4.7, probably in six months. I concur. Looking at the CVEs, these all seem minor and not exploitable through the Python interface.
msg284797 - (view)	Author: Matthias Klose (doko) *	Date: 2017-01-06 06:23
ok, will wait with the commits until after the releases.
msg286523 - (view)	Author: Matthias Klose (doko) *	Date: 2017-01-31 12:30
plus the update to 1.2.11
msg286524 - (view)	Author: Roundup Robot (python-dev)	Date: 2017-01-31 12:31
New changeset 0136c99a9795 by doko in branch '2.7': - Issue #29169: Update zlib to 1.2.11. https://hg.python.org/cpython/rev/0136c99a9795
msg286527 - (view)	Author: Roundup Robot (python-dev)	Date: 2017-01-31 12:53
New changeset c8c1f08428cb by doko in branch '3.5': - Issue #29169: Update zlib to 1.2.10. https://hg.python.org/cpython/rev/c8c1f08428cb
msg286529 - (view)	Author: Matthias Klose (doko) *	Date: 2017-01-31 12:57
now updated all active branches to 1.2.11
msg286550 - (view)	Author: Martin Panter (martin.panter) *	Date: 2017-01-31 20:32
Misc/NEWS (and the commit message) say 1.2.10. Perhaps you meant 1.2.11?
msg286616 - (view)	Author: Roundup Robot (python-dev)	Date: 2017-02-01 12:02
New changeset 7b279c263708 by doko in branch '3.5': Issue #29169: Fix NEWS entry. https://hg.python.org/cpython/rev/7b279c263708
msg286625 - (view)	Author: Roundup Robot (python-dev)	Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.6': Issue #29169: Fix NEWS entry. https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg286626 - (view)	Author: Roundup Robot (python-dev)	Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.5': Issue #29169: Fix NEWS entry. https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg286627 - (view)	Author: Roundup Robot (python-dev)	Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch 'master': Issue #29169: Fix NEWS entry. https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg300373 - (view)	Author: Larry Hastings (larry) *	Date: 2017-08-16 16:05
New changeset d0e61bded5256e775e470e2c0da22367a1a81970 by larryhastings (Victor Stinner) in branch '3.4': bpo-29169: Update zlib to 1.2.11 (#3107) https://github.com/python/cpython/commit/d0e61bded5256e775e470e2c0da22367a1a81970

History
Date	User	Action	Args
2022-04-11 14:58:41	admin	set	github: 73355
2019-05-10 18:00:41	ned.deily	set	messages: - msg342113
2019-05-10 17:36:41	ned.deily	set	nosy: + ned.deily messages: + msg342113
2017-08-16 16:06:00	larry	set	messages: + msg300373
2017-08-16 15:42:09	vstinner	set	pull_requests: + pull_request3147
2017-08-16 15:37:47	vstinner	set	pull_requests: + pull_request3146
2017-04-02 12:57:40	serhiy.storchaka	set	pull_requests: - pull_request1029
2017-03-31 16:36:30	dstufft	set	pull_requests: + pull_request1029
2017-02-01 13:00:33	python-dev	set	messages: + msg286627
2017-02-01 13:00:31	python-dev	set	messages: + msg286626
2017-02-01 13:00:30	python-dev	set	stage: resolved
2017-02-01 13:00:29	python-dev	set	messages: + msg286625
2017-02-01 12:02:29	python-dev	set	messages: + msg286616
2017-01-31 20:32:30	martin.panter	set	nosy: + martin.panter messages: + msg286550
2017-01-31 12:57:27	doko	set	status: open -> closed resolution: fixed messages: + msg286529
2017-01-31 12:53:52	python-dev	set	messages: + msg286527
2017-01-31 12:31:08	python-dev	set	messages: + msg286524
2017-01-31 12:30:07	doko	set	files: + zlib-1.2.11.diff messages: + msg286523 title: update zlib to 1.2.10 -> update zlib to 1.2.11
2017-01-06 06:23:36	doko	set	messages: + msg284797
2017-01-05 22:37:59	rhettinger	set	nosy: + rhettinger messages: + msg284780
2017-01-05 19:53:43	larry	set	messages: + msg284769
2017-01-05 16:26:47	python-dev	set	nosy: + python-dev messages: + msg284760
2017-01-05 15:11:47	doko	create