Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: update chromium zlib 1.2.12 #42571

Conversation

fabiomcarneiro
Copy link

@nodejs-github-bot nodejs-github-bot added dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. zlib Issues and PRs related to the zlib subsystem. labels Apr 1, 2022
@fabiomcarneiro fabiomcarneiro marked this pull request as draft April 1, 2022 18:02
@@ -17,7 +17,7 @@
#if !defined(CHROMIUM_ZLIB_NO_CHROMECONF)
/* This include does prefixing as below, but with an updated set of names. Also
* sets up export macros in component builds. */
//#include "chromeconf.h"
#include "chromeconf.h"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change still needs to be backed out IIRC. Either that, or you might try adding defining CHROMIUM_ZLIB_NO_CHROMECONF in the gyp file to see if that works. I commented this out in my original PR that added the Chromium zlib implementation because it was breaking zlib tests.

@@ -163,4 +163,4 @@
],
}],
],
}
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary change

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm OK with stripping out trailing spaces in this PR rather than leaving them or doing it in a separate PR.

@mscdex
Copy link
Contributor

mscdex commented Apr 1, 2022

By the looks of it, the gyp will probably need to be updated to match the changes made to the build.gn file, especially for any optimization-related changes.

@targos
Copy link
Member

targos commented Apr 4, 2022

Feel free to look at what I did in https://github.com/targos/node/tree/update-zlib-2 to fix the gyp config.

@Ilmarinen100
Copy link

am I correct to assume nodejs is vulnerable to CVE-2018-25032 until this is integrated/released?

@mscdex
Copy link
Contributor

mscdex commented Apr 5, 2022

@Ilmarinen100 #31201 (comment)

@LearnerOrLearnerr
Copy link

What would be the plan to close CVE-2018-25032 for the latest node LTS versions so that security scanning tools stop reporting the zlib implementation in node as vulnerable? I understand from the linked comments in #31201 that Chromium zlib which is being used is not vulnerable, but how to update nodejs such that this manual review of the situation and analysis is not required?

@Neustradamus
Copy link

Note there is now a 1.2.13 with CVE-2022-37434 fix.

@lpinca
Copy link
Member

lpinca commented Nov 17, 2022

Superseded by #45387.

@lpinca lpinca closed this Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file. needs-ci PRs that need a full CI run. zlib Issues and PRs related to the zlib subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants