Skip to content

upgrade zlib version to 1.2.13, which is the latest release.#177

Open
Jackie9527 wants to merge 1 commit intoo3de:mainfrom
Jackie9527:main_dev
Open

upgrade zlib version to 1.2.13, which is the latest release.#177
Jackie9527 wants to merge 1 commit intoo3de:mainfrom
Jackie9527:main_dev

Conversation

@Jackie9527
Copy link
Contributor

@Jackie9527 Jackie9527 commented Feb 6, 2023
edited
Loading

@Jackie9527
upgrade zlib version to 1.2.13, which is the latest release.
70c5d74 
Signed-off-by: Jackie9527 <80555200+Jackie9527@users.noreply.github.com>
@AMZN-daimini AMZN-daimini requested review from a team, nick-l-o3de and spham-amzn February 20, 2023 13:15
@nick-l-o3de
Copy link
Contributor

nick-l-o3de commented Feb 20, 2023
edited
Loading

one thing to caution here, zlib is so base and fundamental to everything that this will potentially cascade to needing to then update many other packages.

Unless something really serious forces us to change zlib, I'd highly recommend against it. Was it a security patch or something?

The situation here is that we distribute it as a static lib, so upgrading the package here will deliver a new static lib, and everything linking to that static lib will now link to the new one (yay!) So you don't need to update other packages even if they depend on zlib - as long as those other packages also deliver as static libs.

However, if there are packages that deliver as dlls or executables, and those packages will pack the contents of the stale zlib into their own dlls and will have older versions even after we ship this.

If we're doing this for some new feature it probably doesn't matter. if we're doing this to solve a real security hole, then we'd need to also issue new versions of the dll or exe distributed libraries in 3p that ingest the old zlib.

  • consider updating the spdx license files at the root of the repo, too

the packages I'm aware of that may use and ingest our zlib and ship it as a non-static link would be

  • AWS Native SDK (possibly? does it come as lib files or dlls?)
  • ASsimp (same question, not sure)
  • openimageio/opencolorio (which ingest zlib)
  • potentially qt (it ships as dlls)

There may also be others. It really depends on if its a serious security patch that would affect those or if its just new features or somehting.

nick-l-o3de
nick-l-o3de approved these changes Feb 20, 2023
View reviewed changes
Copy link
Contributor

@nick-l-o3de nick-l-o3de left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that being said, there's nothing I spy wrong with this.
Its a pity the thing was one of the first packages ever made and didn't have any self tests tho

@KylerSF
Copy link

KylerSF commented Feb 20, 2026

Just adding some info for anyone looking into this in the future, zlib 1.2.13 does fix a security problem, but o3de does not seem to use the affected piece of zlib from a quick search.
https://github.com/madler/zlib/releases/tag/v1.2.13
https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nick-l-o3de nick-l-o3de nick-l-o3de approved these changes

@spham-amzn spham-amzn spham-amzn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Roadmap of Huawei Contributions to O3DE
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Jackie9527 @nick-l-o3de @KylerSF @spham-amzn