Zlib update to resolve security vulnerability

fijoy · November 7, 2022, 10:23pm

There are reports of a Critical severity security vulnerability in zlib through the 1.2.12 version: https://cve.report/CVE-2022-37434

The vulnerability is resolved in zlib 1.2.13: https://www.zlib.net/

Are there any plans to update OpenCV’s zlib with zlib 1.2.13?

Thanks.

crackwitz · November 8, 2022, 12:43am

NOTE: only applications that call inflateGetHeader are affected.

did you determine whether this is the case for OpenCV?

fijoy · November 8, 2022, 1:53am

Yes, OpenCV (including other 3rd party tools that come with it like libpng) does not call inflateGetHeader().

But security scanning tools detect zlib 1.2.12 and produce a positive result, which is an issue with customers when OpenCV is part of a commercial application (even when it’s a false positive).

I was able to build OpenCV (version 4.5.3) with zlib 1.2.13. Tests showed no regressions. So, it might be just a matter of replacing zlib 1.2.12 with zlib 1.2.13.

laurent.berger · November 8, 2022, 12:32pm

write an issue

fijoy · November 8, 2022, 4:43pm

Issue created: Update zlib to version 1.2.13 · Issue #22764 · opencv/opencv · GitHub

berak · November 14, 2022, 10:33am

pr is on the way: 3rdparty: zlib 1.2.12 => 1.2.13 by alalek · Pull Request #22801 · opencv/opencv · GitHub

Topic		Replies	Views
Opencv ZLIB generation issue build	10	988	May 15, 2023
Disable ZLIB from opencv 4.9 C++ build	3	223	March 15, 2024
Totally disable zlib from opencv 4.8.0 C++ build	6	520	August 9, 2023
How to update libpng version in opencv	7	412	July 20, 2023
Cannot compile some issue with libIlmImf-2_2.so.23 C++ build	3	2079	July 3, 2021

Zlib update to resolve security vulnerability

Related topics