Zlib update to resolve security vulnerability

There are reports of a Critical severity security vulnerability in zlib through the 1.2.12 version: https://cve.report/CVE-2022-37434

The vulnerability is resolved in zlib 1.2.13: https://www.zlib.net/

Are there any plans to update OpenCV’s zlib with zlib 1.2.13?


NOTE: only applications that call inflateGetHeader are affected.

did you determine whether this is the case for OpenCV?

Yes, OpenCV (including other 3rd party tools that come with it like libpng) does not call inflateGetHeader().

But security scanning tools detect zlib 1.2.12 and produce a positive result, which is an issue with customers when OpenCV is part of a commercial application (even when it’s a false positive).

I was able to build OpenCV (version 4.5.3) with zlib 1.2.13. Tests showed no regressions. So, it might be just a matter of replacing zlib 1.2.12 with zlib 1.2.13.

write an issue

Issue created: Update zlib to version 1.2.13 · Issue #22764 · opencv/opencv · GitHub

1 Like

pr is on the way: 3rdparty: zlib 1.2.12 => 1.2.13 by alalek · Pull Request #22801 · opencv/opencv · GitHub

1 Like