cve: Update zlib to 1.3 and ignore a CVE (osquery#8218)

trailofbits · Dec 19, 2023 · 3f47753 · 3f47753
1 parent 1243c73
commit 3f47753
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 22 deletions.
diff --git a/libraries/cmake/source/zlib/CMakeLists.txt b/libraries/cmake/source/zlib/CMakeLists.txt
@@ -38,6 +38,14 @@ function(zlibMain)
     )
   endif()
 
+  if(DEFINED PLATFORM_WINDOWS)
+    target_compile_definitions(thirdparty_zlib PRIVATE
+      NO_FSEEKO
+      _CRT_NONSTDC_NO_DEPRECATE
+      _CRT_SECURE_NO_DEPRECATE
+    )
+  endif()
+
   if(DEFINED PLATFORM_LINUX)
     target_compile_definitions(thirdparty_zlib PRIVATE
       _LARGEFILE64_SOURCE=1

diff --git a/libraries/cmake/source/zlib/README.md b/libraries/cmake/source/zlib/README.md
@@ -1,10 +1,30 @@
 # zlib library build notes
 
-Check that the generated `zconf.h` and the compilation enables the defines that we are hardcoding in the CMakeLists.txt.
+Check that the defines we are hardcoding in the CMakeLists.txt corresponds to the ones that are enabled during compilation.
+Also verify that if there are preprocessors `#if/#ifdef` checks in `zconf.h` that are modified to `#if 1`,
+the respective define checked is also present among the defines we are hardcoding.
+
+For instance if
+```
+#ifdef HAVE_UNISTD_H    /* may be set to #if 1 by ./configure */
+#  define Z_HAVE_UNISTD_H
+#endif
+```
+
+becomes
+```
+#if 1    /* was set to #if 1 by ./configure */
+#  define Z_HAVE_UNISTD_H
+#endif
+```
+
+Add `HAVE_UNISTD_H` in the hardcoded defines.
+
+On Windows, when using CMake to configure, the `zconf.h` file is in the build folder, and it should be compared with the `zconf.h.included` file in the source folder.
 
 ## Linux
 
-### Linux x86_64
+### Linux x86_64/AArch64
 
 Generated with the following commands:
 
@@ -20,37 +40,52 @@ export CC=clang
 make
 ```
 
-### Linux AArch64
+## macOS
 
 Generated with the following commands:
 
-```bash
-export TOOLCHAIN=/usr/local/osquery-toolchain
-export PATH="/usr/local/osquery-toolchain/usr/bin:${PATH}"
-export CFLAGS="--sysroot /usr/local/osquery-toolchain"
-export CXXFLAGS="${CFLAGS}"
-export CPPFLAGS="${CFLAGS}"
-export CC=clang
+### macOS ARM (M1, M2, etc.)
+
+```sh
+export CFLAGS="-isysroot /Applications/Xcode_15.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk -target arm64-apple-macos10.15"
+./configure --static --64
+make
+```
 
+### macOS x86-64
+
+```sh
+export CFLAGS="-isysroot /Applications/Xcode_15.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk -target x86_64-apple-macos10.15"
 ./configure --static --64
 make
 ```
 
-## macOS
+## Windows
 
 Generated with the following commands:
 
-### macOS ARM (M1, M2, etc.)
+### Windows x86-64
 
 ```sh
-CFLAGS="-isysroot /Applications/Xcode_13.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk -target arm64-apple-macos10.15" ./configure --static --64
-make
+call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" x64
+mkdir build
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER="cl.exe" -S . -B build
+cmake --build build --verbose
 ```
 
-### macOS x86-64
+### Windows arm64
+
+Prepare a `cross.cmake` file with
+```cmake
+set(CMAKE_SYSTEM_NAME Windows)
+set(CMAKE_SYSTEM_PROCESSOR ARM64)
+```
+
+Then to configure:
 
 ```sh
-CFLAGS="-isysroot /Applications/Xcode_13.0.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk -target x86_64-apple-macos10.14"
-./configure --static --64
-make
+call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvarsall.bat" x64_arm64
+mkdir build
+cmake -G Ninja -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER="cl.exe" -DCMAKE_TOOLCHAIN_FILE=cross.cmake -S . -B build
+cmake --build build --verbose
 ```
diff --git a/libraries/cmake/source/zlib/src b/libraries/cmake/source/zlib/src
diff --git a/libraries/third_party_libraries_manifest.json b/libraries/third_party_libraries_manifest.json
@@ -317,9 +317,11 @@
   "zlib": {
     "product": "zlib",
     "vendor": "zlib",
-    "version": "1.2.13",
-    "commit": "04f42ceca40f73e2978b50e93806c2a18c1281fc",
-    "ignored-cves": []
+    "version": "1.3",
+    "commit": "09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851",
+    "ignored-cves": [
+      "CVE-2023-45853"
+    ]
   },
   "zstd": {
     "product": "zstandard",
+1 −1		.github/workflows/cmake.yml
+1 −1		.github/workflows/configure.yml
+2 −2		CMakeLists.txt
+19 −1		ChangeLog
+1 −1		FAQ
+8 −2		Makefile.in
+9 −10		README
+5 −27		adler32.c
+5 −16		compress.c
+16 −10		configure
+2 −2		contrib/ada/readme.txt
+2 −2		contrib/ada/test.adb
+1 −1		contrib/ada/zlib-streams.ads
+1 −1		contrib/ada/zlib.adb
+1 −1		contrib/ada/zlib.ads
+1 −1		contrib/delphi/ZLib.pas
+1 −1		contrib/dotzlib/DotZLib/ChecksumImpl.cs
+2 −2		contrib/dotzlib/DotZLib/CodecBase.cs
+3 −3		contrib/dotzlib/DotZLib/GZipStream.cs
+1 −1		contrib/dotzlib/DotZLib/UnitTests.cs
+1 −1		contrib/dotzlib/readme.txt
+6 −18		contrib/infback9/infback9.c
+8 −8		contrib/infback9/infback9.h
+6 −11		contrib/infback9/inftree9.c
+3 −3		contrib/infback9/inftree9.h
+1 −1		contrib/minizip/MiniZip64_Changes.txt
+1 −1		contrib/minizip/configure.ac
+4 −8		contrib/minizip/crypt.h
+18 −44		contrib/minizip/ioapi.c
+18 −18		contrib/minizip/ioapi.h
+19 −46		contrib/minizip/iowin32.c
+4 −4		contrib/minizip/iowin32.h
+22 −48		contrib/minizip/miniunz.c
+24 −36		contrib/minizip/minizip.c
+1 −7		contrib/minizip/mztools.c
+185 −330		contrib/minizip/unzip.c
+68 −68		contrib/minizip/unzip.h
+129 −186		contrib/minizip/zip.c
+148 −151		contrib/minizip/zip.h
+1 −1		contrib/pascal/zlibpas.pas
+1 −1		contrib/testzlib/testzlib.c
+28 −35		contrib/untgz/untgz.c
+1 −1		contrib/vstudio/readme.txt
+4 −4		contrib/vstudio/vc10/zlib.rc
+1 −1		contrib/vstudio/vc10/zlibvc.def
+4 −4		contrib/vstudio/vc11/zlib.rc
+1 −1		contrib/vstudio/vc11/zlibvc.def
+4 −4		contrib/vstudio/vc12/zlib.rc
+1 −1		contrib/vstudio/vc12/zlibvc.def
+4 −4		contrib/vstudio/vc14/zlib.rc
+1 −1		contrib/vstudio/vc14/zlibvc.def
+4 −4		contrib/vstudio/vc9/zlib.rc
+1 −1		contrib/vstudio/vc9/zlibvc.def
+86 −162		crc32.c
+233 −336		deflate.c
+8 −8		deflate.h
+1 −1		examples/fitblk.c
+15 −11		examples/zlib_how.html
+396 −342		examples/zran.c
+40 −29		examples/zran.h
+1 −3		gzclose.c
+11 −12		gzguts.h
+22 −79		gzlib.c
+20 −68		gzread.c
+19 −65		gzwrite.c
+7 −23		infback.c
+1 −4		inffast.c
+1 −1		inffast.h
+30 −99		inflate.c
+6 −11		inftrees.c
+3 −3		inftrees.h
+1 −1		os400/README400
+4 −4		os400/zlib.inc
+5 −5		qnx/package.qpg
+23 −80		test/example.c
+3 −2		test/infcover.c
+50 −122		test/minigzip.c
+2 −2		treebuild.xml
+224 −302		trees.c
+4 −12		uncompr.c
+2 −2		win32/README-WIN32.txt
+6 −2		zconf.h
+6 −2		zconf.h.cmakein
+6 −2		zconf.h.in
+3 −3		zlib.3
+ −		zlib.3.pdf
+191 −188		zlib.h
+0 −152		zlib2ansi
+16 −44		zutil.c
+10 −10		zutil.h