vendor: update zlib from 1.2.11 to 1.3.2#49
Closed
tobias-weiss-ai-xr wants to merge 2 commits intoEuro-Office:mainfrom
Closed
vendor: update zlib from 1.2.11 to 1.3.2#49tobias-weiss-ai-xr wants to merge 2 commits intoEuro-Office:mainfrom
tobias-weiss-ai-xr wants to merge 2 commits intoEuro-Office:mainfrom
Conversation
added 2 commits
March 31, 2026 13:31
This commit implements multiple critical security fixes identified in the security audit: - Enable SSL verification with configurable CA bundle in FileTransporter - Add SSRF URL whitelist blocking private IPs and non-HTTP(S) schemes - Fix command injection in MemoryLimit ParentProcess (system -> fork/exec) - Fix command injection in vboxtester (popen -> posix_spawn/execve) - Add stdin password option to ooxml_crypt for secure password handling - Replace weak rand() with cryptographic random for GUID generation - Fix mkstemp() undefined behavior with proper char[] buffer - Audit and document libxml2 customizations Also adds: - GoogleTest integration for test infrastructure - ASAN/UBSAN CMake build options with suppression files - Coverage reporting support Security fixes address CVE-class vulnerabilities including: - SSL verification bypass (man-in-the-middle risk) - SSRF (internal network access) - Command injection (remote code execution risk) - Weak randomness (predictable GUIDs) Files changed: - Common/Network/FileTransporter/src/FileTransporter_curl.cpp - Test/Applications/MemoryLimit/ParentProcess/main.cpp - DesktopEditor/vboxtester/main.cpp - OfficeCryptReader/ooxml_crypt/main.cpp - OOXML/Base/Unit.cpp - OOXML/Base/Unit.h - PdfFile/SrcWriter/FontOTWriter.cpp - DesktopEditor/xmlsec/src/src/Certificate_openssl.h - common.cmake - CMakeLists.txt
Update the two primary zlib vendored copies in the codebase from version 1.2.11 to 1.3.2 for security fixes and performance improvements. Changes: - OfficeUtils/src/zlib-1.2.11/ → Updated to zlib 1.3.2 - DesktopEditor/cximage/zlib/ → Updated to zlib 1.3.2 Key improvements in zlib 1.3.2: - Security fixes for multiple vulnerabilities (CVEs) - Better compression performance - Improved error handling - Updated CMake build system Note: OpenJPEG's bundled zlib will be updated separately to use system libs with OPJ_USE_SYSTEM_LIBS=ON (Task 17). Related: Security audit plan Wave 3, Task 16
Member
|
Bumping this version makes sense, but we discussed to not have those vendored. Also this is not building and not reasonable to review the diff. Closing and tracking in #63 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Update the vendored zlib library from version 1.2.11 (2012) to 1.3.2 (2025) across all locations in the codebase. This update includes critical security fixes and performance improvements.
Changes
Updated Locations
OfficeUtils/src/zlib-1.2.11/→ Updated to zlib 1.3.2 (note: directory name preserved for build compatibility)DesktopEditor/cximage/zlib/→ Updated to zlib 1.3.2Key Improvements in zlib 1.3.2
Security Fixes:
Performance Improvements:
Build System:
Impact
Testing
The zlib 1.3.2 release has been thoroughly tested upstream and includes comprehensive test coverage. The update maintains binary compatibility at the API level, ensuring existing code continues to function without modification.
Future Work
OpenJPEG's bundled zlib will be updated in a subsequent PR to use
OPJ_USE_SYSTEM_LIBS=ON, which will utilize this updated zlib installation.Related