xroche / httrack

HTTrack Website Copier, copy websites to your computer (Official repository)
http://www.httrack.com/
Other
3.61k stars 655 forks source link

Maintenance: update vendored minizip code to the version distributed with zlib v1.3 #265

Closed jayaddison closed 1 year ago

jayaddison commented 1 year ago

Resolves #240.

After updating minizip to match zlib v1.3 and manually re-applying the .diff files, I ran the following checks:

Applying the .diff files was definitely the most difficult part of the process, and likely the most difficult to review, also.

xroche commented 1 year ago

Thank you for this fix! Reviewed, tested with both built-in tests and manually downloading.

PASS: 00_runnable.test
PASS: 01_engine-charset.test
PASS: 01_engine-entities.test
PASS: 01_engine-hashtable.test
PASS: 01_engine-idna.test
PASS: 01_engine-simplify.test
PASS: 10_crawl-simple.test
PASS: 11_crawl-cookies.test
PASS: 11_crawl-idna.test
PASS: 11_crawl-international.test
PASS: 11_crawl-longurl.test
PASS: 11_crawl-parsing.test
PASS: 12_crawl_https.test

I already cherry-picked https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c as advised, but updating this code seems a good idea!

Thanks again for your help,

jayaddison commented 1 year ago

You're welcome - thank you!

Neustradamus commented 1 year ago

@jayaddison: Thanks for your PR!

@xroche: Thanks for the CVE-2023-45853 patch because it is not included in Zlib 1.3...

jayaddison commented 9 months ago

@xroche a note that zlib v1.3.1 is now available including the previously-cherry-picked fix, and hopefully is a straightforward upgrade - let me know whether I should open a pull request for that, or if you'd prefer to apply the upgrade yourself.

Neustradamus commented 9 months ago

@jayaddison: Thanks for your comment :)

@xroche: There are 2 CVE fixes in latest Zlib 1.3.1 for minizip. Have you received my emails? I try to contact you in private.