Zlib 1.2.11

These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib.

The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

Note: Only Windows and macOS are affected by this issue. Linux packages use the system zlib.

  • Disclosure date: 2017-01-05 (Python issue bpo-29169 reported)
  • Reported at: 2017-01-02 (zlib 1.2.10 released)

Fixed In

Python issue

update zlib to 1.2.11.

  • Python issue: bpo-29169
  • Creation date: 2017-01-05
  • Reporter: Matthias Klose

CVE-2016-9840

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2016-9842

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

CVE-2016-9843

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

Timeline

Timeline using the disclosure date 2017-01-05 as reference:

  • 2017-01-02 (-3 days): Reported (zlib 1.2.10 released)
  • 2017-01-05: Python issue bpo-29169 reported by Matthias Klose
  • 2017-01-31 (+26 days): commit 34e7e2e (branch 3.5)
  • 2017-01-31 (+26 days): commit 80b24a9 (branch 2.7)
  • 2017-03-21 (+75 days): Python 3.6.1 released
  • 2017-05-23 (+138 days): CVE-2016-9840 published
  • 2017-05-23 (+138 days): CVE-2016-9841 published
  • 2017-05-23 (+138 days): CVE-2016-9842 published
  • 2017-05-23 (+138 days): CVE-2016-9843 published
  • 2017-08-08 (+215 days): Python 3.5.4 released
  • 2017-08-16 (+223 days): commit d0e61bd (branch 3.4)
  • 2017-09-17 (+255 days): Python 2.7.14 released
  • 2018-02-04 (+395 days): Python 3.4.8 released
  • 2018-06-28: Python 3.7.0 released