* [CVE] zlib (< 1.2.12) memory corruption
@ 2022-04-05 13:56 Luis Machado
2022-04-08 13:36 ` Nick Clifton
2022-04-12 15:27 ` Nick Clifton
0 siblings, 2 replies; 4+ messages in thread
From: Luis Machado @ 2022-04-05 13:56 UTC (permalink / raw)
To: binutils, gdb, gcc
Hi,
There is a CVE [1] for zlib < 1.2.12 (released march 27th).
GCC currently uses zlib 1.2.11, and binutils-gdb imports the zlib
directory from GCC. The recommendation is to get it updated to 1.2.12,
which contains the proper fix [2].
It might not affect gcc/binutils/gdb since the code doesn't seem to be
using the problematic option Z_FIXED, but it seems like a good idea to
consider bumping the version of zlib we use.
[1] https://nvd.nist.gov/vuln/detail/CVE-2018-25032
[2]
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [CVE] zlib (< 1.2.12) memory corruption
2022-04-05 13:56 [CVE] zlib (< 1.2.12) memory corruption Luis Machado
@ 2022-04-08 13:36 ` Nick Clifton
2022-04-12 7:30 ` Luis Machado
2022-04-12 15:27 ` Nick Clifton
1 sibling, 1 reply; 4+ messages in thread
From: Nick Clifton @ 2022-04-08 13:36 UTC (permalink / raw)
To: Luis Machado, binutils, gdb, gcc
Hi Luis,
> There is a CVE [1] for zlib < 1.2.12 (released march 27th).
>
> GCC currently uses zlib 1.2.11, and binutils-gdb imports the zlib directory from GCC. The recommendation is to get it updated to 1.2.12, which contains the proper fix [2].
I am all for updating the binutils-gdb copy of zlib. I will wait a couple of
days to see if anyone else has any comments or concerns, but if not, then I
will apply the patches myself.
Cheers
Nick
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [CVE] zlib (< 1.2.12) memory corruption
2022-04-08 13:36 ` Nick Clifton
@ 2022-04-12 7:30 ` Luis Machado
0 siblings, 0 replies; 4+ messages in thread
From: Luis Machado @ 2022-04-12 7:30 UTC (permalink / raw)
To: Nick Clifton, binutils, gdb, gcc
Hi Nick,
On 4/8/22 14:36, Nick Clifton wrote:
> Hi Luis,
>
>> There is a CVE [1] for zlib < 1.2.12 (released march 27th).
>>
>> GCC currently uses zlib 1.2.11, and binutils-gdb imports the zlib
>> directory from GCC. The recommendation is to get it updated to 1.2.12,
>> which contains the proper fix [2].
>
> I am all for updating the binutils-gdb copy of zlib. I will wait a
> couple of
> days to see if anyone else has any comments or concerns, but if not, then I
> will apply the patches myself.
I did a quick check and there seems to be some differences between gcc's
zlib subdir and binutils-gdb's zlib subdir. I think there has been some
fixes that we may have to port over from our current zlib subdir. I
tried simply replacing the subdir, but that didn't work right.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [CVE] zlib (< 1.2.12) memory corruption
2022-04-05 13:56 [CVE] zlib (< 1.2.12) memory corruption Luis Machado
2022-04-08 13:36 ` Nick Clifton
@ 2022-04-12 15:27 ` Nick Clifton
1 sibling, 0 replies; 4+ messages in thread
From: Nick Clifton @ 2022-04-12 15:27 UTC (permalink / raw)
To: Luis Machado, binutils, gdb, gcc
Hi Luis,
> There is a CVE [1] for zlib < 1.2.12 (released march 27th).
>
> GCC currently uses zlib 1.2.11, and binutils-gdb imports the zlib directory from GCC. The recommendation is to get it updated to 1.2.12, which contains the proper fix [2].
>
Right - I have now updated the binutils-gdb mainline sources with this release.
Whilst it is true that the gcc version of zlib sources had diverged slightly from
the 1.2.11 release sources, I think that it was just some changes cherry picked
from the developments that went in to 1.2.12. So a simple rebase should be safe.
Cheers
Nick
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-12 15:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-05 13:56 [CVE] zlib (< 1.2.12) memory corruption Luis Machado
2022-04-08 13:36 ` Nick Clifton
2022-04-12 7:30 ` Luis Machado
2022-04-12 15:27 ` Nick Clifton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).