799264 - Import zlib security patches from chromium (if needed)

Status: RESOLVED INVALID

(Core :: General, defect)

Description

[Nicolas B. Pierron [:nbp] {away}]

https://github.com/NixOS/nixpkgs/commit/77d424875c4d035c3025bcb7f8f58c2a11229f93

Chromium has extra zlib patches which are fixing security issues but which are not covering all use case of the zlib yet.  See if we have to import these patches until they are included in the upstream version.  And import them if needed.

Comment 1

[David Bolter [:davidb] (NeedInfo me for attention)]

Naveed, we're a little that the chromium patches might include critical fixes we would want. Can someone check this out?

Comment 2

[Daniel Veditz [:dveditz]]

The main tree zlib is using (according to comments in zlib.h) version 1.2.7 from May 2012
The zlib in nss is using 1.2.5 from April 2010
The freetype2 code uses parts of zlib  version 1.1.4 (2002) in its gzip directory

I'm concerned that if Chrome has patched their zlib with a hidden bug then it's probably and issue we need to worry about.

Comment 3

[Benjamin Smedberg]

dveditz, can you follow up with them?

Comment 4

[Al Billings [:abillings - ex-MoCo]]

Any updates here, Dan?

Comment 5

[Andrew McCreight [:mccr8]]

I looked over the linked commit, and the only security-related things I could see seemed to be related to CRIME, which we patched in bug 779413, and basically just disables zlib in a certain way, so I don't think there's anything there we need to take.

Are there any other commits in particular you are worried about, nbp, or was it just that one thing?

We upgraded to zlib 1.2.8 earlier this year (bug 866964), FWIW.

Comment 6

[Nicolas B. Pierron [:nbp] {away}]

This was just that one thing. Thanks for checking. :)