[gdal-dev] zlib vulnerability CVE-2018-25032 affecting GAL
Andrew C Aitchison
andrew at aitchison.me.uk
Thu Apr 7 07:07:52 PDT 2022
On Thu, 7 Apr 2022, Greg Troxel wrote:
> Even Rouault <even.rouault at spatialys.com> writes:
>
>> Most GDAL binary distributions don't use that internal copy but the
>> external zlib library provided by the operating system / distribution
>> channel.
>
> I realize you are accomodating people who can somehow get and build gdal
> sources but can't first install zlib, but from the packaging viewpoint
> having included copies is a bad thing. Yes, it shouldn't get used, but
> if a dependency isn't declared it would be hidden or not provided and
> then be used anyway.
>
> I therefore think it would be good to consider removing the vendored
> copies, or at least requiring explicit config to turn them on. (I just
> looked in the sources for how to build and didn't find it in README. I
> know I have figured out how to build and this isn't a request for help,
> but in terms of the cmake migration the instructions are missing.) It
> looks like internal will just be used if zlib is not found.
>
> I wonder if it's still really necessary/helpful to have included libs
> like zlib.
I wondered whether it made a difference to driver plugins and "DLL hell"
- the PNG driver uses zlib/libz and libpng -
but it seems that we outlaw building gdriver plugins and internal
libraries, so that would not be a reason to keep the internal libraries.
--
Andrew C. Aitchison Kendal, UK
andrew at aitchison.me.uk
More information about the gdal-dev
mailing list