From df99ace8eb478e411ca07e6270d81c1e1b4466d1 Mon Sep 17 00:00:00 2001 From: Zachary Ware Date: Tue, 1 Nov 2022 13:02:51 -0500 Subject: [PATCH] gh-98689: Update Windows builds to zlib v1.2.13 (GH-98968) (cherry picked from commit c0859743d9ad3bbd4c021200f4162cfeadc0c17a) Co-authored-by: Zachary Ware --- .../next/Windows/2022-11-01-11-07-33.gh-issue-98689.0f6e_N.rst | 2 ++ PCbuild/get_externals.bat | 2 +- PCbuild/python.props | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 Misc/NEWS.d/next/Windows/2022-11-01-11-07-33.gh-issue-98689.0f6e_N.rst diff --git a/Misc/NEWS.d/next/Windows/2022-11-01-11-07-33.gh-issue-98689.0f6e_N.rst b/Misc/NEWS.d/next/Windows/2022-11-01-11-07-33.gh-issue-98689.0f6e_N.rst new file mode 100644 index 00000000000000..295debb81369a8 --- /dev/null +++ b/Misc/NEWS.d/next/Windows/2022-11-01-11-07-33.gh-issue-98689.0f6e_N.rst @@ -0,0 +1,2 @@ +Update Windows builds to zlib v1.2.13. v1.2.12 has CVE-2022-37434, but +the vulnerable ``inflateGetHeader`` API is not used by Python. diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat index f72c8f6acb4a21..57761342ab6646 100644 --- a/PCbuild/get_externals.bat +++ b/PCbuild/get_externals.bat @@ -59,7 +59,7 @@ if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.12. if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.12.0 if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tix-8.4.3.6 set libraries=%libraries% xz-5.2.5 -set libraries=%libraries% zlib-1.2.12 +set libraries=%libraries% zlib-1.2.13 for %%e in (%libraries%) do ( if exist "%EXTERNALS_DIR%\%%e" ( diff --git a/PCbuild/python.props b/PCbuild/python.props index 1db13d46a7adfc..56060f798e193f 100644 --- a/PCbuild/python.props +++ b/PCbuild/python.props @@ -67,7 +67,7 @@ $(ExternalsDir)openssl-bin-1.1.1q\$(ArchName)\ $(opensslOutDir)include $(ExternalsDir)\nasm-2.11.06\ - $(ExternalsDir)\zlib-1.2.12\ + $(ExternalsDir)\zlib-1.2.13\ _d