➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2017-01-05 15:11 bydoko, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| zlib-1.2.10.diff | doko,2017-01-05 15:11 | |||
| zlib-1.2.11.diff | doko,2017-01-31 12:30 | review | ||
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 3107 | merged | vstinner,2017-08-16 15:37 | |
| PR 3108 | closed | vstinner,2017-08-16 15:42 | |
| Messages (15) | |||
|---|---|---|---|
| msg284749 -(view) | Author: Matthias Klose (doko)* | Date: 2017-01-05 15:11 | |
These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib. The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.Intending to update all active branches. Larry, is it ok to add this before the upcoming 3.4 and 3.5 releases, or should it wait?Changes in 1.2.10 (2 Jan 2017)- Avoid warnings on snprintf() return value- Fix bug in deflate_stored() for zero-length input- Fix bug in gzwrite.c that produced corrupt gzip files- Remove files to be installed before copying them in Makefile.in- Add warnings when compiling with assembler codeChanges in 1.2.9 (31 Dec 2016)- Fix contrib/minizip to permit unzipping with desktop API [Zouzou]- Improve contrib/blast to return unused bytes- Assure that gzoffset() is correct when appending- Improve compress() and uncompress() to support large lengths- Fix bug in test/example.c where error code not saved- Remedy Coverity warning [Randers-Pehrson]- Improve speed of gzprintf() in transparent mode- Fix inflateInit2() bug when windowBits is 16 or 32- Change DEBUG macro to ZLIB_DEBUG- Avoid uninitialized access by gzclose_w()- Allow building zlib outside of the source directory- Fix bug that accepted invalid zlib header when windowBits is zero- Fix gzseek() problem on MinGW due to buggy _lseeki64 there- Loop on write() calls in gzwrite.c in case of non-blocking I/O- Add --warn (-w) option to ./configure for more compiler warnings- Reject a window size of 256 bytes if not using the zlib wrapper- Fix bug when level 0 used with Z_HUFFMAN or Z_RLE- Add --debug (-d) option to ./configure to define ZLIB_DEBUG- Fix bugs in creating a very large gzip header- Add uncompress2() function, which returns the input size used- Assure that deflateParams() will not switch functions mid-block- Dramatically speed up deflation for level 0 (storing)- Add gzfread(), duplicating the interface of fread()- Add gzfwrite(), duplicating the interface of fwrite()- Add deflateGetDictionary() function- Use snprintf() for later versions of Microsoft C- Fix *Init macros to use z_ prefix when requested- Replace as400 with os400 for OS/400 support [Monnerat]- Add crc32_z() and adler32_z() functions with size_t lengths- Update Visual Studio project files [AraHaan] | |||
| msg284760 -(view) | Author: Roundup Robot (python-dev) | Date: 2017-01-05 16:26 | |
New changeseted172054a812 by doko in branch '2.7':- Issue#29169: Update zlib to 1.2.10.https://hg.python.org/cpython/rev/ed172054a812 | |||
| msg284769 -(view) | Author: Larry Hastings (larry)* | Date: 2017-01-05 19:53 | |
I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago. Do you think the CVEs are bad enough to warrant cherry-picking this? A quick google suggests they were all low severity:http://www.openwall.com/lists/oss-security/2016/12/05/21I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, probably in six months. | |||
| msg284780 -(view) | Author: Raymond Hettinger (rhettinger)* | Date: 2017-01-05 22:37 | |
> I'm inclined to not cherry-pick this, which means it'd > ship in 3.5.4 and 3.4.7, probably in six months.I concur. Looking at the CVEs, these all seem minor and not exploitable through the Python interface. | |||
| msg284797 -(view) | Author: Matthias Klose (doko)* | Date: 2017-01-06 06:23 | |
ok, will wait with the commits until after the releases. | |||
| msg286523 -(view) | Author: Matthias Klose (doko)* | Date: 2017-01-31 12:30 | |
plus the update to 1.2.11 | |||
| msg286524 -(view) | Author: Roundup Robot (python-dev) | Date: 2017-01-31 12:31 | |
New changeset0136c99a9795 by doko in branch '2.7':- Issue#29169: Update zlib to 1.2.11.https://hg.python.org/cpython/rev/0136c99a9795 | |||
| msg286527 -(view) | Author: Roundup Robot (python-dev) | Date: 2017-01-31 12:53 | |
New changesetc8c1f08428cb by doko in branch '3.5':- Issue#29169: Update zlib to 1.2.10.https://hg.python.org/cpython/rev/c8c1f08428cb | |||
| msg286529 -(view) | Author: Matthias Klose (doko)* | Date: 2017-01-31 12:57 | |
now updated all active branches to 1.2.11 | |||
| msg286550 -(view) | Author: Martin Panter (martin.panter)* | Date: 2017-01-31 20:32 | |
Misc/NEWS (and the commit message) say 1.2.10. Perhaps you meant 1.2.11? | |||
| msg286616 -(view) | Author: Roundup Robot (python-dev) | Date: 2017-02-01 12:02 | |
New changeset7b279c263708 by doko in branch '3.5':Issue#29169: Fix NEWS entry.https://hg.python.org/cpython/rev/7b279c263708 | |||
| msg286625 -(view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.6':Issue#29169: Fix NEWS entry.https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c | |||
| msg286626 -(view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch '3.5':Issue#29169: Fix NEWS entry.https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c | |||
| msg286627 -(view) | Author: Roundup Robot (python-dev) | Date: | |
New changeset7c1f136e83fe9a145f509b27417a8dd2a37ac27c by doko in branch 'master':Issue#29169: Fix NEWS entry.https://github.com/python/cpython/commit/7c1f136e83fe9a145f509b27417a8dd2a37ac27c | |||
| msg300373 -(view) | Author: Larry Hastings (larry)* | Date: 2017-08-16 16:05 | |
New changesetd0e61bded5256e775e470e2c0da22367a1a81970 by larryhastings (Victor Stinner) in branch '3.4':bpo-29169: Update zlib to 1.2.11 (#3107)https://github.com/python/cpython/commit/d0e61bded5256e775e470e2c0da22367a1a81970 | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:41 | admin | set | github: 73355 |
| 2019-05-10 18:00:41 | ned.deily | set | messages: -msg342113 |
| 2019-05-10 17:36:41 | ned.deily | set | nosy: +ned.deily messages: +msg342113 |
| 2017-08-16 16:06:00 | larry | set | messages: +msg300373 |
| 2017-08-16 15:42:09 | vstinner | set | pull_requests: +pull_request3147 |
| 2017-08-16 15:37:47 | vstinner | set | pull_requests: +pull_request3146 |
| 2017-04-02 12:57:40 | serhiy.storchaka | set | pull_requests: -pull_request1029 |
| 2017-03-31 16:36:30 | dstufft | set | pull_requests: +pull_request1029 |
| 2017-02-01 13:00:33 | python-dev | set | messages: +msg286627 |
| 2017-02-01 13:00:31 | python-dev | set | messages: +msg286626 |
| 2017-02-01 13:00:30 | python-dev | set | stage: resolved |
| 2017-02-01 13:00:29 | python-dev | set | messages: +msg286625 |
| 2017-02-01 12:02:29 | python-dev | set | messages: +msg286616 |
| 2017-01-31 20:32:30 | martin.panter | set | nosy: +martin.panter messages: +msg286550 |
| 2017-01-31 12:57:27 | doko | set | status: open -> closed resolution: fixed messages: +msg286529 |
| 2017-01-31 12:53:52 | python-dev | set | messages: +msg286527 |
| 2017-01-31 12:31:08 | python-dev | set | messages: +msg286524 |
| 2017-01-31 12:30:07 | doko | set | files: +zlib-1.2.11.diff messages: +msg286523 title: update zlib to 1.2.10 -> update zlib to 1.2.11 |
| 2017-01-06 06:23:36 | doko | set | messages: +msg284797 |
| 2017-01-05 22:37:59 | rhettinger | set | nosy: +rhettinger messages: +msg284780 |
| 2017-01-05 19:53:43 | larry | set | messages: +msg284769 |
| 2017-01-05 16:26:47 | python-dev | set | nosy: +python-dev messages: +msg284760 |
| 2017-01-05 15:11:47 | doko | create | |