upgrade zlib-rs to version `0.4.0` #439

folkertdev · 2024-11-14T11:29:32Z

fixes a stack overflow on malicious input GHSA-j3px-q95c-9683

folkertdev · 2024-11-14T11:30:44Z

src/ffi/c.rs

@@ -447,7 +447,7 @@ mod c_backend {
    #[cfg(feature = "zlib-ng")]
    const ZLIB_VERSION: &'static str = "2.1.0.devel\0";
    #[cfg(all(not(feature = "zlib-ng"), feature = "zlib-rs"))]
-    const ZLIB_VERSION: &'static str = "1.3.0-zlib-rs-0.3.0\0";


this bump is not strictly needed here (only the 1.3.0 part is relevant, and I believe only the 1 prefix is checked by most zlib libraries (but applications might check more).

Byron

Thanks a lot for the fix and the update here - I will create a new release right away.

Byron · 2024-11-14T13:57:39Z

And here it is: https://github.com/rust-lang/flate2-rs/releases/tag/1.0.35

folkertdev · 2024-11-14T14:04:11Z

nice, thanks!

(btw we're now also testing with the flate2 test suite in CI trifectatechfoundation/zlib-rs#250)

upgrade zlib-rs to version 0.4.0

eff67ad

folkertdev commented Nov 14, 2024

View reviewed changes

Byron approved these changes Nov 14, 2024

View reviewed changes

Byron merged commit 14aec22 into rust-lang:main Nov 14, 2024
14 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

upgrade zlib-rs to version `0.4.0` #439

upgrade zlib-rs to version `0.4.0` #439

folkertdev commented Nov 14, 2024

folkertdev Nov 14, 2024

Byron left a comment

Byron commented Nov 14, 2024

folkertdev commented Nov 14, 2024

upgrade zlib-rs to version 0.4.0 #439

upgrade zlib-rs to version 0.4.0 #439

Conversation

folkertdev commented Nov 14, 2024

folkertdev Nov 14, 2024

Choose a reason for hiding this comment

Byron left a comment

Choose a reason for hiding this comment

Byron commented Nov 14, 2024

folkertdev commented Nov 14, 2024

upgrade zlib-rs to version `0.4.0` #439

upgrade zlib-rs to version `0.4.0` #439