Skip to content

Update bundled libraries #1369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Update bundled libraries #1369

wants to merge 15 commits into from

Conversation

mal359
Copy link

@mal359 mal359 commented Jan 7, 2025

Sybase OW development did this until it stalled out; probably a good idea to take a look here, since those that are from the 2000's are full of nasty vulnerabilities that could affect OW2.

mal359 added 8 commits January 7, 2025 00:03
@mal359
Update bundled TinyXML to 2.6.2
33585ab 
Include post-discontinuation patches for CVE-2021-42260 and CVE-2023-34194.

https://sourceforge.net/u/cvoegl/tinyxml/ci/f7ca0035d17a663f55668e662b840afce7b86112/

https://security-tracker.debian.org/tracker/CVE-2023-34194
@mal359
Added FileZilla and select SF patches to bundled TinyXML
678df23 
https://svn.filezilla-project.org/filezilla?view=revision&revision=3966

https://svn.filezilla-project.org/filezilla?view=revision&revision=3977

https://svn.filezilla-project.org/filezilla?view=revision&revision=4049

https://svn.filezilla-project.org/filezilla?view=revision&revision=6013

https://svn.filezilla-project.org/filezilla?view=revision&revision=6648

https://sourceforge.net/p/tinyxml/patches/51/

https://sourceforge.net/p/tinyxml/patches/58/
@mal359
Merge bzip2-1.0.8
e611fe9 
Several major vulnerabilities have been fixed upstream since the nearly twenty-year-old 1.0.3 release:

CAN-2005-0953
CAN-2005-0758
CERT-FI 20469
CVE-2010-0405
CVE-2010-0405
CVE-2016-3189
CVE-2019-12900

bzip2-1.0.8 also fixes large file support under WIndows.
@mal359
Add upstream patches
8747064 
Plus replace sprintf in bzip2recover https://sourceware.org/bugzilla/attachment.cgi?id=14412
@mal359
Backported a myriad of libzip fixes
77829cb 
Including 64k, >2GiB, and patches for:

CVE-2011-0421
CVE-2012-1162
CVE-2012-1163
CVE-2015-2331

As well as a fix from PHP and RedHat.

This probably broke something. A small initial price to pay for ZIP support being dragged into the 21st C :)
@mal359
Hardened bzip2
2cbddad
@mal359
Merge branch 'master' of https://github.com/mal359/open-watcom-v2
ecb4ba1
@mal359
Revert "Backported a myriad of libzip fixes"
d922e92 
This reverts commit 77829cb.
mal359 added 7 commits January 8, 2025 17:49
@mal359
bzip2 tweaks
416785d 
Via Debian, Gentoo, upstream, and GItLab bzip2.

https://sources.debian.org/patches/bzip2/1.0.8-6/20-legacy.patch/
https://sources.debian.org/patches/bzip2/1.0.8-6/40-bzdiff-l.patch/
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-arch/bzip2/files/bzip2-1.0.8-mingw.patch
https://gitlab.com/bzip2/bzip2/-/commit/65179284ceddc43e6388bf4ed8c2d85cf16e1b2f
https://sourceware.org/git/?p=bzip2.git;a=commit;h=8ca1faa31f396d94ab927b257f3a05236c84e330
@mal359
Update to zlib-master
4c20f4d 
Since the bundled 1.2.3 was released, the following major vulnerabilities have been fixed:

CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
CVE-2018-25032
CVE-2022-37434
CVE-2023-45853

Also includes select patches from SUSE.

https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/0001-Do-not-try-to-store-negative-values-in-unsigned-int.patch
https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/minizip-dont-install-crypt-header.patch
https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-1.2.11-covscan-issues-rhel9.patch
https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-1.2.11-covscan-issues.patch
https://build.opensuse.org/projects/openSUSE:Factory/packages/zlib/files/zlib-format.patch
@mal359
Fix bootstrap with newer zlib
fffd729 
Plus some C++ headers in TinyXML for the road.
@mal359
Let's try that again
6458ef8
@mal359
lipzip fixes
d6b0c1b 
Includes backported patches for

CVE-2011-0421 (nih-at/libzip@88efa42)
CVE-2015-2331 (php/php-src@ef8fc4b)

Other CVE's were introduced well after the bundled libzip's release.
@mal359
Revert "lipzip fixes"
eb667db 
This reverts commit 41d8538.
@mal359
Backport CVE patches.
d8d8058 
CVE-2011-0421 (nih-at/libzip@88efa42)
CVE-2015-2331 (php/php-src@ef8fc4b)

Fix MSVC build

strcasecmp has a Watcom-native implementation and is portable sans Windows. This replaces a prior stricmp call, which is deprecated in the Watcom C library.
@jmalak
Copy link
Member

jmalak commented Jan 16, 2025

Sorry, such "mega" change is not accepted, nobody will be checking this.
Please submit changes per project (each project as zlib or libzib etc.) because some changes can be disputted or refused.
It requires review and our resources are limited, it take a time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mal359 @jmalak