Page MenuHome GnuPG
Create Task
Maniphest T5880

Old version of Zlib in GnuPG
Closed, ResolvedPublic
Actions

Description

There are two directories where the library is included:
APPDIR/GnuPG/bin/Zlib1.dll (version of Zlib is here 1.2.8)
APPDIR/Gpg4win/bin/Zlib1.dll (version of Zlib is here 1.2.11)

For version 1.2.8 two CVEs are known: CVE-2016-9842 (CVSS 8.8) and CVE-2016-9841 (CVSS 9.8).

Accordingly to @aheinecke the use of Zlib is strongly limited, so these CVEs are not relevant for GnuPG.

Details

External Link
https://www.openwall.com/lists/oss-security/2016/12/05/21
Version
4.0.0

Related Objects

Event Timeline

cklassen created this task.Mar 15 2022, 11:59 AM
cklassen created this object in space S1 Public.
bernhard added a subscriber: bernhard.Mar 15 2022, 12:23 PM
cklassen updated the task description. (Show Details)Mar 15 2022, 12:55 PM
cklassen edited projects, added gpg4win; removed gnupg.
cklassen set Version to 4.0.0.
cklassen added a subscriber: aheinecke.
werner triaged this task as Low priority.Mar 15 2022, 1:01 PM
werner added a subscriber: werner.

Right, we are not affected by these CVE because we use only the very basic core in gpg and no higher level functions. At least for GnuPG there will be no update.

werner set External Link to https://www.openwall.com/lists/oss-security/2016/12/05/21.Mar 15 2022, 3:17 PM
werner raised the priority of this task from Low to Normal.Mar 15 2022, 3:22 PM
werner added projects: gnupg (gpg22), CVE.

All 4 CVEs are findings related to standard conforming compiler optimizations which OTOH break long standing assumptions on C coding. “Let us show that our compiler produces the fastes code ever and ignore any assumptions coders had made over the last 50 year”.

I recall that I looked at them but it turned out that these fixes introduced other bugs. Well, things might have settled by now and thus we could update our zlib version.

werner closed this task as Resolved.Mar 17 2022, 8:04 AM
werner claimed this task.

SWDB updated - thus the latest zlib will be part of the next Windows build.

bernhard mentioned this in T5910: CVE-2018-25032 for zlib <=1.2.11 (CVSS 8.1 high).Mar 30 2022, 4:53 PM