search

ecmwf / magics

Plotting package to visualise meteorological data in GRIB, NetCDF, BUFR and ODB format.
Apache License 2.0
56 stars 15 forks source link

drivers: update minizip to zlib:v1.3.1 #102

Closed jayaddison closed 1 week ago

jayaddison commented 9 months ago

Updates the vendored minizip code to v1.3.1 from madler/zlib.

Also includes one change to the defaults in the Dockerfile, so that I could build a container image and run the selfcheck in it. I don't know whether that proves much about the upgrade; I did find the magics-test regression tests but haven't been able to run those yet. (reverted, to avoid mixing unrelated changes)

FussyDuck commented 9 months ago

CLA assistant check
All committers have signed the CLA.

sonarcloud[bot] commented 9 months ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

sonarcloud[bot] commented 6 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

sonarcloud[bot] commented 1 month ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

jayaddison commented 2 weeks ago

Hi @iainrussell - apologies for the direct mention; you appeared when I checked the list of recent commits in this repository and I thought it might be worth tagging you on this PR.

This was part of a series of pull requests in that I opened in various projects after learning about CVE-2023-45853 -- a problem related to very long filenames or comments in zip files -- in minizip, as distributed with the zlib sources.

I'm working through some old/stale pull requests to determine whether they can be closed, and this is one of them.

I wasn't and am not super familiar with magics (I'm not a user of it), but on inspection I notice that minizip is used during opening of KML and GeoJSON files -- and uses fixed, short filenames, without any use of comments in those sections of code -- so I believe that this codebase is unaffected by the problem.

Even so, I'd personally generally recommend staying up-to-date with external dependency updates, because it can make future upgrades to them easier -- but I don't think there's any necessity to do so in this case. I'll likely close this pull request in a week or so's time, unless the project feels it is worthwhile to merge.

jayaddison commented 1 week ago

Closing this pull request; please feel free to recover the commits (git fetch origin pull/102/head:pr-102-recovered, or similar) and apply/compare against those if they'd be useful in future.