Skip to content

CMake: Windows: harden install by including zlib1.dll #743

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 10, 2023
Merged

CMake: Windows: harden install by including zlib1.dll #743

merged 1 commit into from
Jan 10, 2023

Conversation

psyke83
Copy link
Contributor

@psyke83 psyke83 commented Jan 10, 2023

Description

mingw's openssl library is built using the "zlib-dynamic" flag, which invokes LoadLibrary() of zlib1.dll during runtime to allow openssl to function if no zlib.dll is installed.

This is a problem because it prevents static linkage of zlib, thus opening a security vulnerability by which a malicious zlib1.dll can be loaded from any valid system dll search path.

Increase security by including the mingw version of zlib1.dll in the application path, which will override any other versions.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Dependency update (updates to dependencies)
  • Documentation update (changes to documentation)
  • Repository update (changes to repository files, e.g. .github/...)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

Branch Updates

LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.

  • I want maintainers to keep my branch updated

@psyke83 psyke83 marked this pull request as ready for review January 10, 2023 03:16
@psyke83 @ReenigneArcher
CMake: Windows: harden install by including zlib1.dll
be84f7f 
mingw's openssl library is built using the "zlib-dynamic" flag, which
invokes LoadLibrary() of zlib1.dll during runtime to allow openssl to
function if no zlib.dll is installed.

This is a problem because it prevents static linkage of zlib, thus
opening a security vulnerability by which a malicious zlib1.dll can
be loaded from any valid system dll search path.

Increase security by including the mingw version of zlib1.dll in the
application path, which will override any other versions.
@ReenigneArcher ReenigneArcher merged commit b405888 into LizardByte:nightly Jan 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgutman cgutman cgutman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@psyke83 @cgutman @ReenigneArcher