search

DinoChiesa / DotNetZip

Library for creating and reading .ZIP files from a .NET Language
Other
120 stars 41 forks source link

Is DotNetZip affected by the new zlib Security bug (CVE-2018-25032)? #17

Open StarWars999123 opened 2 years ago

StarWars999123 commented 2 years ago

According to press reports, zLib has a serious security issue and already an old fix available. Since DotNetZip uses a modified version of jzlib (probably a derivate of zlib) is this libary affected and are fixes already available?

CVE-2018-25032

DinoChiesa commented 2 years ago

DotNetZip uses a modified version of jzlib? Is that true? Are you sure about that? Can you show me why you think that?

On Wed, Mar 30, 2022 at 4:44 AM StarWars999123 @.***> wrote:

According to press reports, zLib has a serious security issue and already an old fix available. Since DotNetZip uses a modified version of jzlib (probably a derivate of zlib) is this libary affected and are fixes already available?

CVE-2018-25032 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032

— Reply to this email directly, view it on GitHub https://github.com/DinoChiesa/DotNetZip/issues/17, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAB52UUTFR4S7I73MF6W4Q3VCQ5CXANCNFSM5SBUWJVQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- -Dino

StarWars999123 commented 2 years ago

https://github.com/DinoChiesa/DotNetZip/blob/master/Zlib/Zlib.cs#:~:text=This%20module%20defines,but%20significantly%20modified. Ok, it just contains some data models here. However, I didn't took a detailed look into the code, where you added in some classes, that this code is completely novel. So you don't expect any influence of the zlib issue on DotNetZip, correct?