Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003297Doomseeker[All Projects] Suggestionpublic2017-10-08 02:192017-11-13 17:16
ReporterWubTheCaptain 
Assigned ToZalewa 
PrioritynormalSeverityexploitReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.1 
Target Version1.1Fixed in Version1.2 
Summary0003297: Update bundled (and possibly vulnerable) zlib 1.2.7 dependency
DescriptionDoomseeker source bundles a private fork of zlib 1.2.7.

I propose it to be updated to a recent version.
Additional InformationThe README file incorrectly suggests the bundled zlib dependency version to be 1.2.5.

Suggested downstream by Gentoo GNU/Linux:https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies#What_to_do_upstream [^]

Quote from Gentoo Wiki
When keeping dependency D bundled make sure to follow the upstream of D closely and update your copy to a recent version of D on every minor (and major) release to at least reduce the damage done to people using your bundled version a little.


Current release available is zlib 1.2.11.http://zlib.net/ [^]

Note: Vulnerabilities were discovered in zlib 1.2.8 (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843). Pre-cautionary exploit severity.
Attached Fileslog file icon diffoscope.log [^] (34,005 bytes) 2017-11-09 05:45

- Relationships
related to 0003238closed Split Doomseeker's build dependencies off source archive distribution, distribute seperately 
child of 0003246assignedWubTheCaptain Debian packaging. 

-  Notes
User avatar (0018825)
Zalewa (developer)
2017-11-08 21:39

I updated the dependencies/zlib to 1.2.11 as requested:https://bitbucket.org/Doomseeker/doomseeker/commits/8443d61cf99d504a4a8cd6d0c3a7c74c65772109 [^]

I wonder if we should take care of the other zlib copy that is in Mendeley Updater's code. We feed the updater with known archives, so exploitation risk is non-existant (?), but keeping & using another build of the same thing seems like asking for trouble.
User avatar (0018834)
Blzut3 (administrator)
2017-11-09 03:54

Are there any issues with switching it over? I can't imagine it would be that difficult to use the already existing targets.
User avatar (0018835)
WubTheCaptain (developer)
2017-11-09 05:13

There's a lot other things that go to Mendeley's code: An older repository without any license (no grant of rights, later relicensed at upstream under Expat license), CPOL-licensed dependencies, etc. It'd be best to file bugs upstream to Mendeley in that case, else leave it rot because of downstream consequences (wasted time opportunities in maintaining a private fork). (These issues don't have subtickets of 0003237 yet.)

You can obviously tell I don't like Mendeley at all, and my preference is to replace it completely (with something like 0003292, yes MSI can be network installed by admin and silent upgrades too).

Another ticket, 0003238, would've been my preference of resolution (as said in the Gentoo GNU/Linux wiki article), but that's apparently no go because of Microsoft Windows operating system family.

I'm unable to test this patch without much effort, because qtmultimedia5-dev package depends on zlib1g-dev and so I cannot build without using system library zlib (1.2.8) in Debian. I guess I'll run a diffoscope later to verify, but I have good faith in this to be resolved.
User avatar (0018836)
WubTheCaptain (developer)
2017-11-09 05:21

Forgot there's FORCE_INTERNAL_ZLIB option to cmake:

cmake -DFORCE_INTERNAL_ZLIB=YES $DOOMSEEKER_SOURCE


Builds fine with zlib 1.2.11 for me.
User avatar (0018837)
WubTheCaptain (developer)
2017-11-09 05:45
edited on: 2017-11-09 05:50

diffoscope log passes for me. Notice algorithm.txt, example.c and zlib.vcproj though. (The lattermost is a Doomseeker "feature".)

This is unexplained to be a Doomseeker thing:

if( CMAKE_C_COMPILER_ID STREQUAL "GNU" OR CMAKE_C_COMPILER_ID STREQUAL "Clang" 
)
    set( CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC" )
endif()


It was probably in the old version too, though.

User avatar (0018854)
Zalewa (developer)
2017-11-11 11:18

The unexplained Doomseeker thing should be explained now.

Moreover, I removed zlib and bzip2 convenience copies from Mendeley's "external" directory. Blzut, you should check if it didn't break anything on Mac, especially when "use internals" are off.
User avatar (0018867)
Blzut3 (administrator)
2017-11-13 08:57

Appears to be fine on Mac.
User avatar (0018868)
WubTheCaptain (developer)
2017-11-13 11:15

Guess this is resolved, then.

Only a remaining question to be answered: What's the target version for this? 1.1 patch release or 1.2?

Issue Community Support
This issue is already marked as resolved.
If you feel that is not the case, please reopen it and explain why.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2017-10-08 02:19 WubTheCaptain New Issue
2017-10-08 02:20 WubTheCaptain Relationship added related to 0003238
2017-11-04 01:22 WubTheCaptain Target Version => 1.1
2017-11-04 01:24 WubTheCaptain Summary Update bundled zlib 1.2.7 dependency => Update bundled (and possibly vulnerable) zlib 1.2.7 dependency
2017-11-04 01:27 WubTheCaptain Relationship added child of 0003279
2017-11-04 01:44 WubTheCaptain Relationship deleted child of 0003279
2017-11-04 01:44 WubTheCaptain Relationship added child of 0003246
2017-11-04 09:17 Zalewa Assigned To => Zalewa
2017-11-04 09:17 Zalewa Status new => assigned
2017-11-08 21:39 Zalewa Note Added: 0018825
2017-11-08 21:39 Zalewa Status assigned => feedback
2017-11-09 03:54 Blzut3 Note Added: 0018834
2017-11-09 05:13 WubTheCaptain Note Added: 0018835
2017-11-09 05:13 WubTheCaptain Status feedback => assigned
2017-11-09 05:21 WubTheCaptain Note Added: 0018836
2017-11-09 05:21 WubTheCaptain Status assigned => needs review
2017-11-09 05:45 WubTheCaptain File Added: diffoscope.log
2017-11-09 05:45 WubTheCaptain Note Added: 0018837
2017-11-09 05:46 WubTheCaptain Note Edited: 0018837 View Revisions
2017-11-09 05:48 WubTheCaptain Note Edited: 0018837 View Revisions
2017-11-09 05:50 WubTheCaptain Note Edited: 0018837 View Revisions
2017-11-11 11:18 Zalewa Note Added: 0018854
2017-11-13 08:57 Blzut3 Note Added: 0018867
2017-11-13 11:15 WubTheCaptain Note Added: 0018868
2017-11-13 17:16 Zalewa Status needs review => resolved
2017-11-13 17:16 Zalewa Fixed in Version => 1.2
2017-11-13 17:16 Zalewa Resolution open => fixed






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker