MantisBT - CMake
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0003473CMakeCMakepublic2006-07-03 07:342007-09-17 14:17
ReporterMarc Espie 
Assigned ToBill Hoffman 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0003473: zlib bundled version is too old
DescriptionI've just checked, it is the generic zlib 1.1.4.
This version is several years old, and has gone through several revisions to fix quite a few vulnerabilities.
Since there are test beds using cmake (and cmtar), this means that all of them are vulnerable.

Please answer this concern shortly. This is an actual security hole.

I suggest using a current zlib, and at least providing a way to link with the system library.

The cm_zlib prefix makes very little sense: every one out there is using zlib, and thus the gzopen/gzread interface is standard.

Moreover some OSes
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
duplicate of 0005445closed David Cole ITK ITK/VTK/CMake are using zlib 1.1.4, current version is 1.2.3, should upgrade 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2007-08-31 11:28Alex NeundorfAssigned ToSystem Admin => Bill Hoffman
2007-08-31 12:37Bill HoffmanNote Added: 0008791
2007-08-31 13:25Sean McBrideNote Added: 0008792
2007-08-31 13:28Sean McBrideRelationship addedduplicate of 0005445
2007-09-11 11:24David ColeStatusassigned => resolved
2007-09-11 11:24David ColeResolutionopen => fixed
2007-09-11 11:24David ColeNote Added: 0008917
2007-09-17 14:17Alex NeundorfStatusresolved => closed

Notes
(0008791)
Bill Hoffman   
2007-08-31 12:37   
You can set the variable CMAKE_USE_SYSTEM_ZLIB when you build cmake, and it will use the system zlib. The cm_zlib allows for multiple versions of zlib to be in one application, the zlib that cmake uses is shared by VTK and ITK I think. I will look into an upgrade, but if you want to use a system one you can very easily.
(0008792)
Sean McBride   
2007-08-31 13:25   
This is a dupe of bug 5445.
(0008917)
David Cole   
2007-09-11 11:24   
Utilities/cmzlib updated to 1.2.3