hsbt
commented
2 years ago zlib is different from zlib gem. There is no issue on zlib gem.
Closed zeeamber closed 2 years ago
hsbt
commented
2 years ago zlib is different from zlib gem. There is no issue on zlib gem.
sorah
commented
2 years ago 
zeeamber
commented
2 years ago @hsbt can you please explain why we are using zlib version 1.2.11 which is vulnerable in these places ?https://github.com/ruby/zlib/blob/486014c8bd8420eae0f6354a87ab6f70f61b8c57/ext/zlib/extlibs https://github.com/ruby/zlib/blob/486014c8bd8420eae0f6354a87ab6f70f61b8c57/ext/zlib/win32/zlib-1.2.11-mswin.patch
hsbt
commented
2 years ago @sorah This file is not working with this repo.
hsbt
commented
2 years ago I removed it at https://github.com/ruby/zlib/commit/2b02fc0c727bd0eb141efd9b8bd38c840e0bab8a and https://github.com/ruby/zlib/commit/439f39369b657062c8e32a12c9411656bf94358f
@zeeamber In https://github.com/ruby/ruby, the users can download zlib source via extlibs file. But this file removed at https://github.com/ruby/ruby/commit/82c8acbcfd3197e19620dc6024d08c85ea99a05b. And this download feature is only provided ruby/ruby repo. So, zlib gem is not effect with this file.
A new version of zlib 1.2.12 is available to address a bug that can crash deflate on some input when using Z_FIXED. Any plans to upgrade the gem with latest version of zlib?