Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to zlib v1.2.12 in CPython binary releases #91350

Closed
gpshead opened this issue Apr 1, 2022 · 12 comments · Fixed by #32250
Closed

Upgrade to zlib v1.2.12 in CPython binary releases #91350

gpshead opened this issue Apr 1, 2022 · 12 comments · Fixed by #32250
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes extension-modules C modules in the Modules dir OS-windows release-blocker type-security A security issue

Comments

@gpshead
Copy link
Member

gpshead commented Apr 1, 2022

BPO 47194
Nosy @gpshead, @pfmoore, @tjguk, @ned-deily, @ambv, @zware, @zooba, @pablogsal, @miss-islington
PRs
  • bpo-47194: Update zlib on Windows #32241
  • [3.10] bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) #32248
  • [3.9] bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) #32249
  • [3.8] bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) #32250
  • [3.7] bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) #32251
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = None
created_at = <Date 2022-04-01.19:25:42.678>
labels = ['3.8', '3.9', 'release-blocker', 'extension-modules', '3.7', 'type-security', '3.10', '3.11', 'OS-windows']
title = 'Upgrade to zlib v1.2.12 in CPython binary releases'
updated_at = <Date 2022-04-04.03:27:26.636>
user = 'https://github.com/gpshead'

    bugs.python.org fields:

    activity = <Date 2022-04-04.03:27:26.636>
actor = 'ned.deily'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Extension Modules', 'Windows']
creation = <Date 2022-04-01.19:25:42.678>
creator = 'gregory.p.smith'
dependencies = []
files = []
hgrepos = []
issue_num = 47194
keywords = ['patch']
message_count = 5.0
messages = ['416510', '416552', '416555', '416556', '416651']
nosy_count = 9.0
nosy_names = ['gregory.p.smith', 'paul.moore', 'tim.golden', 'ned.deily', 'lukasz.langa', 'zach.ware', 'steve.dower', 'pablogsal', 'miss-islington']
pr_nums = ['32241', '32248', '32249', '32250', '32251']
priority = 'release blocker'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue47194'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']
    @gpshead
    Copy link
    Member Author

    gpshead commented Apr 1, 2022

    zlib v1.2.11 as used in Windows binary releases contains a security issue that, while fixed in its git repo years ago, never wound up in a release or a CVE until just now.

    Folllow the https://www.openwall.com/lists/oss-security/2022/03/24/1 thread and the and recently assigned CVE-2018-25032.

    I believe we only ship our own zlib on Windows so this issue is tagged as such. The above oss-security thread is where an idea of severity will come out.

    @gpshead gpshead added 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes release-blocker extension-modules C modules in the Modules dir OS-windows type-security A security issue labels Apr 1, 2022
    @zooba
    Copy link
    Member

    zooba commented Apr 2, 2022

    New changeset 6066739 by Zachary Ware in branch 'main':
    bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
    6066739

    @miss-islington
    Copy link
    Contributor

    New changeset 0f0f85e by Miss Islington (bot) in branch '3.9':
    bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
    0f0f85e

    @miss-islington
    Copy link
    Contributor

    New changeset 16a809f by Miss Islington (bot) in branch '3.10':
    bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
    16a809f

    @ned-deily
    Copy link
    Member

    New changeset 387f93c by Miss Islington (bot) in branch '3.7':
    bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) (GH-32251)
    387f93c

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    @ned-deily ned-deily linked a pull request Apr 11, 2022 that will close this issue
    [3.8] bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) #32250
    Merged
    @pablogsal
    Copy link
    Member

    Is there anything left to do in this issue? Can we close it?

    @vstinner
    Copy link
    Member

    vstinner commented May 6, 2022

    Is there anything left to do in this issue? Can we close it?

    It seems like zlib is still outdated in Python 3.8.

    I have a tool to check for "external libraries versions": https://github.com/vstinner/misc/blob/main/cpython/external_versions.py

    $ (cd main/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.10/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.9/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.8/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.11
$ (cd 3.7/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12

    @vstinner
    Copy link
    Member

    vstinner commented May 6, 2022

    It seems like zlib is still outdated in Python 3.8.

    There is #32250 but the Docs CI failed. I removed/added back the "backport to 3.8" label on #32241 and it updated the 3.8 PR.

    @gpshead
    Copy link
    Member Author

    gpshead commented May 6, 2022

    yep just waiting on that 3.8 PR being merged by its RM. we don't have a good way to indicate which branches an issue remains a release-blocker for.

    @zware
    Copy link
    Member

    zware commented May 16, 2022

    With the merge of #32250, this is now resolved in all active branches. Does anyone have a handle on whether the severity of the CVE is high enough to warrant releases?

    @ambv
    Copy link
    Contributor

    ambv commented May 16, 2022

    Since we only ship our own zlib with installers and 3.7-3.8 aren't shipping installers anymore, I don't think we need a security release for that. The only other change in 3.8 is a sqlite segfault fix so I think I'll pass on releasing a 3.8 at this time.

    @ned-deily
    Copy link
    Member

    Since we only ship our own zlib with installers and 3.7-3.8 aren't shipping installers anymore, I don't think we need a security release for that.

    Likewise with 3.7 so time to close this. Thanks, everyone!

    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes 3.11 only security fixes extension-modules C modules in the Modules dir OS-windows release-blocker type-security A security issue
    Projects
    Release and Deferred blockers 🚫
    Archived in project
    Milestone
    No milestone
    8 participants
    @ambv @gpshead @vstinner @zooba @ned-deily @zware @pablogsal @miss-islington