[issue29169] update zlib to 1.2.10

2017-01-06 Thread Matthias Klose 

Matthias Klose added the comment:

ok, will wait with the commits until after the releases.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29169] update zlib to 1.2.10

2017-01-05 Thread Raymond Hettinger 

Raymond Hettinger added the comment:

> I'm inclined to not cherry-pick this, which means it'd 
> ship in 3.5.4 and 3.4.7, probably in six months.

I concur.  Looking at the CVEs, these all seem minor and not exploitable 
through the Python interface.

--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29169] update zlib to 1.2.10

2017-01-05 Thread Larry Hastings 

Larry Hastings added the comment:

I cut 3.4.6rc1 and 3.5.3rc1 a couple of days ago.  Do you think the CVEs are 
bad enough to warrant cherry-picking this?  A quick google suggests they were 
all low severity:

http://www.openwall.com/lists/oss-security/2016/12/05/21

I'm inclined to not cherry-pick this, which means it'd ship in 3.5.4 and 3.4.7, 
probably in six months.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29169] update zlib to 1.2.10

2017-01-05 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset ed172054a812 by doko in branch '2.7':
- Issue #29169: Update zlib to 1.2.10.
https://hg.python.org/cpython/rev/ed172054a812

--
nosy: +python-dev

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29169] update zlib to 1.2.10

2017-01-05 Thread Matthias Klose 

New submission from Matthias Klose:

These are the changes updating zlib from 1.2.8 to 1.2.10. It is only used when 
building without a system zlib.  The new release includes fixes for security 
issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.

Intending to update all active branches. Larry, is it ok to add this before the 
upcoming 3.4 and 3.5 releases, or should it wait?

Changes in 1.2.10 (2 Jan 2017)
- Avoid warnings on snprintf() return value
- Fix bug in deflate_stored() for zero-length input
- Fix bug in gzwrite.c that produced corrupt gzip files
- Remove files to be installed before copying them in Makefile.in
- Add warnings when compiling with assembler code

Changes in 1.2.9 (31 Dec 2016)
- Fix contrib/minizip to permit unzipping with desktop API [Zouzou]
- Improve contrib/blast to return unused bytes
- Assure that gzoffset() is correct when appending
- Improve compress() and uncompress() to support large lengths
- Fix bug in test/example.c where error code not saved
- Remedy Coverity warning [Randers-Pehrson]
- Improve speed of gzprintf() in transparent mode
- Fix inflateInit2() bug when windowBits is 16 or 32
- Change DEBUG macro to ZLIB_DEBUG
- Avoid uninitialized access by gzclose_w()
- Allow building zlib outside of the source directory
- Fix bug that accepted invalid zlib header when windowBits is zero
- Fix gzseek() problem on MinGW due to buggy _lseeki64 there
- Loop on write() calls in gzwrite.c in case of non-blocking I/O
- Add --warn (-w) option to ./configure for more compiler warnings
- Reject a window size of 256 bytes if not using the zlib wrapper
- Fix bug when level 0 used with Z_HUFFMAN or Z_RLE
- Add --debug (-d) option to ./configure to define ZLIB_DEBUG
- Fix bugs in creating a very large gzip header
- Add uncompress2() function, which returns the input size used
- Assure that deflateParams() will not switch functions mid-block
- Dramatically speed up deflation for level 0 (storing)
- Add gzfread(), duplicating the interface of fread()
- Add gzfwrite(), duplicating the interface of fwrite()
- Add deflateGetDictionary() function
- Use snprintf() for later versions of Microsoft C
- Fix *Init macros to use z_ prefix when requested
- Replace as400 with os400 for OS/400 support [Monnerat]
- Add crc32_z() and adler32_z() functions with size_t lengths
- Update Visual Studio project files [AraHaan]

--
assignee: doko
components: Extension Modules
files: zlib-1.2.10.diff
keywords: patch
messages: 284749
nosy: doko, larry
priority: normal
severity: normal
status: open
title: update zlib to 1.2.10
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7
Added file: http://bugs.python.org/file46161/zlib-1.2.10.diff

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com