This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: update zlib to 1.2.11
Type: Stage: resolved
Components: Extension Modules Versions: Python 3.7, Python 3.6, Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: doko Nosy List: doko, larry, martin.panter, ned.deily, python-dev, rhettinger
Priority: normal Keywords: patch

Created on 2017-01-05 15:11 by doko, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
zlib-1.2.10.diff doko, 2017-01-05 15:11
zlib-1.2.11.diff doko, 2017-01-31 12:30 review
Pull Requests
URL Status Linked Edit
PR 3107 merged vstinner, 2017-08-16 15:37
PR 3108 closed vstinner, 2017-08-16 15:42
Messages (15)
msg284749 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-01-05 15:11
These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib.  The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

Intending to update all active branches. Larry, is it ok to add this before the upcoming 3.4 and 3.5 releases, or should it wait?

Changes in 1.2.10 (2 Jan 2017)
- Avoid warnings on snprintf() return value
- Fix bug in deflate_stored() for zero-length input
- Fix bug in gzwrite.c that produced corrupt gzip files
- Remove files to be installed before copying them in Makefile.in
- Add warnings when compiling with assembler code

Changes in 1.2.9 (31 Dec 2016)
- Fix contrib/minizip to permit unzipping with desktop API [Zouzou]
- Improve contrib/blast to return unused bytes
- Assure that gzoffset() is correct when appending
- Improve compress() and uncompress() to support large lengths
- Fix bug in test/example.c where error code not saved
- Remedy Coverity warning [Randers-Pehrson]
- Improve speed of gzprintf() in transparent mode
- Fix inflateInit2() bug when windowBits is 16 or 32
- Change DEBUG macro to ZLIB_DEBUG
- Avoid uninitialized access by gzclose_w()
- Allow building zlib outside of the source directory
- Fix bug that accepted invalid zlib header when windowBits is zero
- Fix gzseek() problem on MinGW due to buggy _lseeki64 there
- Loop on write() calls in gzwrite.c in case of non-blocking I/O
- Add --warn (-w) option to ./configure for more compiler warnings
- Reject a window size of 256 bytes if not using the zlib wrapper
- Fix bug when level 0 used with Z_HUFFMAN or Z_RLE
- Add --debug (-d) option to ./configure to define ZLIB_DEBUG
- Fix bugs in creating a very large gzip header
- Add uncompress2() function, which returns the input size used
- Assure that deflateParams() will not switch functions mid-block
- Dramatically speed up deflation for level 0 (storing)
- Add gzfread(), duplicating the interface of fread()
- Add gzfwrite(), duplicating the interface of fwrite()
- Add deflateGetDictionary() function
- Use snprintf() for later versions of Microsoft C
- Fix *Init macros to use z_ prefix when requested
- Replace as400 with os400 for OS/400 support [Monnerat]
- Add crc32_z() and adler32_z() functions with size_t lengths
- Update Visual Studio project files [AraHaan]
msg284760 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-01-05 16:26
New changeset ed172054a812 by doko in branch '2.7':
- Issue #29169: Update zlib to 1.2.10.
https://hg.python.org/cpython/rev/ed172054a812
msg284769 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2017-01-05 19:53
I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago.  Do you think the CVEs are bad enough to warrant cherry-picking this?  A quick google suggests they were all low severity:

http://www.openwall.com/lists/oss-security/2016/12/05/21

I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, probably in six months.
msg284780 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2017-01-05 22:37
> I'm inclined to not cherry-pick this, which means it'd 
> ship in 3.5.4 and 3.4.7, probably in six months.

I concur.  Looking at the CVEs, these all seem minor and not exploitable through the Python interface.
msg284797 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-01-06 06:23
ok, will wait with the commits until after the releases.
msg286523 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-01-31 12:30
plus the update to 1.2.11
msg286524 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-01-31 12:31
New changeset 0136c99a9795 by doko in branch '2.7':
- Issue #29169: Update zlib to 1.2.11.
https://hg.python.org/cpython/rev/0136c99a9795
msg286527 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-01-31 12:53
New changeset c8c1f08428cb by doko in branch '3.5':
- Issue #29169: Update zlib to 1.2.10.
https://hg.python.org/cpython/rev/c8c1f08428cb
msg286529 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2017-01-31 12:57
now updated all active branches to 1.2.11
msg286550 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2017-01-31 20:32
Misc/NEWS (and the commit message) say 1.2.10. Perhaps you meant 1.2.11?
msg286616 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-02-01 12:02
New changeset 7b279c263708 by doko in branch '3.5':
Issue #29169: Fix NEWS entry.
https://hg.python.org/cpython/rev/7b279c263708
msg286625 - (view) Author: Roundup Robot (python-dev) (Python triager) Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.6':
Issue #29169: Fix NEWS entry.
https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg286626 - (view) Author: Roundup Robot (python-dev) (Python triager) Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.5':
Issue #29169: Fix NEWS entry.
https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg286627 - (view) Author: Roundup Robot (python-dev) (Python triager) Date:
New changeset 7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch 'master':
Issue #29169: Fix NEWS entry.
https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c
msg300373 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2017-08-16 16:05
New changeset d0e61bded5256e775e470e2c0da22367a1a81970 by larryhastings (Victor Stinner) in branch '3.4':
bpo-29169: Update zlib to 1.2.11 (#3107)
https://github.com/python/cpython/commit/d0e61bded5256e775e470e2c0da22367a1a81970
History
Date User Action Args
2022-04-11 14:58:41adminsetgithub: 73355
2019-05-10 18:00:41ned.deilysetmessages: - msg342113
2019-05-10 17:36:41ned.deilysetnosy: + ned.deily
messages: + msg342113
2017-08-16 16:06:00larrysetmessages: + msg300373
2017-08-16 15:42:09vstinnersetpull_requests: + pull_request3147
2017-08-16 15:37:47vstinnersetpull_requests: + pull_request3146
2017-04-02 12:57:40serhiy.storchakasetpull_requests: - pull_request1029
2017-03-31 16:36:30dstufftsetpull_requests: + pull_request1029
2017-02-01 13:00:33python-devsetmessages: + msg286627
2017-02-01 13:00:31python-devsetmessages: + msg286626
2017-02-01 13:00:30python-devsetstage: resolved
2017-02-01 13:00:29python-devsetmessages: + msg286625
2017-02-01 12:02:29python-devsetmessages: + msg286616
2017-01-31 20:32:30martin.pantersetnosy: + martin.panter
messages: + msg286550
2017-01-31 12:57:27dokosetstatus: open -> closed
resolution: fixed
messages: + msg286529
2017-01-31 12:53:52python-devsetmessages: + msg286527
2017-01-31 12:31:08python-devsetmessages: + msg286524
2017-01-31 12:30:07dokosetfiles: + zlib-1.2.11.diff

messages: + msg286523
title: update zlib to 1.2.10 -> update zlib to 1.2.11
2017-01-06 06:23:36dokosetmessages: + msg284797
2017-01-05 22:37:59rhettingersetnosy: + rhettinger
messages: + msg284780
2017-01-05 19:53:43larrysetmessages: + msg284769
2017-01-05 16:26:47python-devsetnosy: + python-dev
messages: + msg284760
2017-01-05 15:11:47dokocreate