Closed cwlmco closed 1 year ago
Also CVE-2018-25032
I will revisit whether it makes sense to continue using the Intel zlib implementation at all, since it is now only used by the TurboVNC Server. If it still makes sense, I'll update to their latest code.
Even with raw TurboVNC encoder benchmarks, there is no longer a compelling speedup relative to the system-installed version of zlib, so I'm just going to remove our in-tree version.
Sorry for the delay. I'm not sure what happened with the results I obtained in April, but they were apparently bogus. I re-ran the same benchmarks today with both 64-bit and 32-bit code and still see a significant enough speedup with the Intel zlib implementation to justify its inclusion. I see the same speedup with the new (1.2.13) Intel zlib implementation as with our current implementation, which is based on zlib 1.2.8.
Comments regarding TurboVNC's exposure to the security issues in question:
inflateGetHeader()
.Z_FIXED
.That being said, the new 1.2.13 Intel zlib implementation is easier to build and does a much better job of run-time CPU feature detection, so it's worth upgrading for those reasons. I am testing whether it makes sense to always use the system zlib implementation for non-x86 architectures.
Thanks for the update.
Since this is a non-critical issue, I have committed the new zlib code to the dev branch (TurboVNC 3.1 evolving.)
See CVE-2022-37434 and CVE-2016-9843