Zlib 1.2.11

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when building without a system zlib.

The new release includes fixes for security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

Note: Only Windows and macOS are affected by this issue. Linux packages use the system zlib.

Dates:

• Disclosure date: 2017-01-05 (Python issue bpo-29169 reported)
• Reported at: 2017-01-02 (zlib 1.2.10 released)

Fixed In

• Python 2.7.14 (2017-09-16) fixed by commit 80b24a9 (branch 2.7) (2017-01-31)
• Python 3.4.8 (2018-02-04) fixed by commit d0e61bd (branch 3.4) (2017-08-16)
• Python 3.5.4 (2017-08-07) fixed by commit 34e7e2e (branch 3.5) (2017-01-31)
• Python 3.6.1 (2017-03-21) fixed by commit 34e7e2e (branch 3.5) (2017-01-31)
• Python 3.7.0 (2018-06-27) fixed by commit 34e7e2e (branch 3.5) (2017-01-31)

Python issue

update zlib to 1.2.11.

• Python issue: bpo-29169
• Creation date: 2017-01-05
• Reporter: Matthias Klose

CVE-2016-9840

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

• CVE ID: CVE-2016-9840
• Published: 2017-05-23
• CVSS Score: 6.8

CVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

• CVE ID: CVE-2016-9841
• Published: 2017-05-23
• CVSS Score: 7.5

CVE-2016-9842

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

• CVE ID: CVE-2016-9842
• Published: 2017-05-23
• CVSS Score: 6.8

CVE-2016-9843

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

• CVE ID: CVE-2016-9843
• Published: 2017-05-23
• CVSS Score: 7.5

Timeline

Timeline using the disclosure date 2017-01-05 as reference:

• 2017-01-02 (-3 days): Reported (zlib 1.2.10 released)
• 2017-01-05: Python issue bpo-29169 reported by Matthias Klose
• 2017-01-31 (+26 days): commit 34e7e2e (branch 3.5)
• 2017-01-31 (+26 days): commit 80b24a9 (branch 2.7)
• 2017-03-21 (+75 days): Python 3.6.1 released
• 2017-05-23 (+138 days): CVE-2016-9840 published
• 2017-05-23 (+138 days): CVE-2016-9841 published
• 2017-05-23 (+138 days): CVE-2016-9842 published
• 2017-05-23 (+138 days): CVE-2016-9843 published
• 2017-08-07 (+214 days): Python 3.5.4 released
• 2017-08-16 (+223 days): commit d0e61bd (branch 3.4)
• 2017-09-16 (+254 days): Python 2.7.14 released
• 2018-02-04 (+395 days): Python 3.4.8 released
• 2018-06-27: Python 3.7.0 released

Links

• https://nvd.nist.gov/vuln/detail/CVE-2016-9840/
• https://nvd.nist.gov/vuln/detail/CVE-2016-9841/
• https://nvd.nist.gov/vuln/detail/CVE-2016-9842/
• https://nvd.nist.gov/vuln/detail/CVE-2016-9843/