Upgrade to zlib v1.2.12 in CPython binary releases

[gpshead]

BPO	47194
Nosy	@gpshead, @pfmoore, @tjguk, @ned-deily, @ambv, @zware, @zooba, @pablogsal, @miss-islington
PRs	#32241 #32248 #32249 #32250 #32251

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2022-04-01.19:25:42.678>
labels = ['3.8', '3.9', 'release-blocker', 'extension-modules', '3.7', 'type-security', '3.10', '3.11', 'OS-windows']
title = 'Upgrade to zlib v1.2.12 in CPython binary releases'
updated_at = <Date 2022-04-04.03:27:26.636>
user = 'https://github.com/gpshead'

bugs.python.org fields:

activity = <Date 2022-04-04.03:27:26.636>
actor = 'ned.deily'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Extension Modules', 'Windows']
creation = <Date 2022-04-01.19:25:42.678>
creator = 'gregory.p.smith'
dependencies = []
files = []
hgrepos = []
issue_num = 47194
keywords = ['patch']
message_count = 5.0
messages = ['416510', '416552', '416555', '416556', '416651']
nosy_count = 9.0
nosy_names = ['gregory.p.smith', 'paul.moore', 'tim.golden', 'ned.deily', 'lukasz.langa', 'zach.ware', 'steve.dower', 'pablogsal', 'miss-islington']
pr_nums = ['32241', '32248', '32249', '32250', '32251']
priority = 'release blocker'
resolution = None
stage = 'patch review'
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue47194'
versions = ['Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10', 'Python 3.11']

[gpshead]

zlib v1.2.11 as used in Windows binary releases contains a security issue that, while fixed in its git repo years ago, never wound up in a release or a CVE until just now.

Folllow the https://www.openwall.com/lists/oss-security/2022/03/24/1 thread and the and recently assigned CVE-2018-25032.

I believe we only ship our own zlib on Windows so this issue is tagged as such. The above oss-security thread is where an idea of severity will come out.

[zooba]

New changeset 6066739 by Zachary Ware in branch 'main':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
6066739

[miss-islington]

New changeset 0f0f85e by Miss Islington (bot) in branch '3.9':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
0f0f85e

[miss-islington]

New changeset 16a809f by Miss Islington (bot) in branch '3.10':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241)
16a809f

[ned-deily]

New changeset 387f93c by Miss Islington (bot) in branch '3.7':
bpo-47194: Update zlib to v1.2.12 on Windows to resolve CVE-2018-25032 (GH-32241) (GH-32251)
387f93c

[pablogsal]

Is there anything left to do in this issue? Can we close it?

[vstinner]

Is there anything left to do in this issue? Can we close it?

It seems like zlib is still outdated in Python 3.8.

I have a tool to check for "external libraries versions": https://github.com/vstinner/misc/blob/main/cpython/external_versions.py

$ (cd main/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.10/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.9/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12
$ (cd 3.8/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.11
$ (cd 3.7/; ~/myprojects/misc/cpython/external_versions.py|grep zlib)
zlib[Windows]: 1.2.12

[vstinner]

It seems like zlib is still outdated in Python 3.8.

There is #32250 but the Docs CI failed. I removed/added back the "backport to 3.8" label on #32241 and it updated the 3.8 PR.

[gpshead]

yep just waiting on that 3.8 PR being merged by its RM. we don't have a good way to indicate which branches an issue remains a release-blocker for.

[zware]

With the merge of #32250, this is now resolved in all active branches. Does anyone have a handle on whether the severity of the CVE is high enough to warrant releases?

[ambv]

Since we only ship our own zlib with installers and 3.7-3.8 aren't shipping installers anymore, I don't think we need a security release for that. The only other change in 3.8 is a sqlite segfault fix so I think I'll pass on releasing a 3.8 at this time.

[ned-deily]

Since we only ship our own zlib with installers and 3.7-3.8 aren't shipping installers anymore, I don't think we need a security release for that.

Likewise with 3.7 so time to close this. Thanks, everyone!