Page MenuHome GnuPG

Old version of Zlib in GnuPG
Closed, ResolvedPublic

Description

There are two directories where the library is included:
APPDIR/GnuPG/bin/Zlib1.dll (version of Zlib is here 1.2.8)
APPDIR/Gpg4win/bin/Zlib1.dll (version of Zlib is here 1.2.11)

For version 1.2.8 two CVEs are known: CVE-2016-9842 (CVSS 8.8) and CVE-2016-9841 (CVSS 9.8).

Accordingly to @aheinecke the use of Zlib is strongly limited, so these CVEs are not relevant for GnuPG.

Event Timeline

cklassen created this object in space S1 Public.
cklassen edited projects, added gpg4win; removed gnupg.
cklassen set Version to 4.0.0.
cklassen added a subscriber: aheinecke.
werner added a subscriber: werner.

Right, we are not affected by these CVE because we use only the very basic core in gpg and no higher level functions. At least for GnuPG there will be no update.

werner set External Link to https://www.openwall.com/lists/oss-security/2016/12/05/21.Mar 15 2022, 3:17 PM
werner raised the priority of this task from Low to Normal.Mar 15 2022, 3:22 PM
werner added projects: gnupg (gpg22), CVE.

All 4 CVEs are findings related to standard conforming compiler optimizations which OTOH break long standing assumptions on C coding. “Let us show that our compiler produces the fastes code ever and ignore any assumptions coders had made over the last 50 year”.

I recall that I looked at them but it turned out that these fixes introduced other bugs. Well, things might have settled by now and thus we could update our zlib version.

werner claimed this task.

SWDB updated - thus the latest zlib will be part of the next Windows build.