Giter VIP home page Giter VIP logo

Comments (6)

cwlmco avatar cwlmco commented on June 25, 2024

Also CVE-2018-25032

from turbovnc.

dcommander avatar dcommander commented on June 25, 2024

I will revisit whether it makes sense to continue using the Intel zlib implementation at all, since it is now only used by the TurboVNC Server. If it still makes sense, I'll update to their latest code.

from turbovnc.

dcommander avatar dcommander commented on June 25, 2024

Even with raw TurboVNC encoder benchmarks, there is no longer a compelling speedup relative to the system-installed version of zlib, so I'm just going to remove our in-tree version.

from turbovnc.

dcommander avatar dcommander commented on June 25, 2024

Sorry for the delay. I'm not sure what happened with the results I obtained in April, but they were apparently bogus. I re-ran the same benchmarks today with both 64-bit and 32-bit code and still see a significant enough speedup with the Intel zlib implementation to justify its inclusion. I see the same speedup with the new (1.2.13) Intel zlib implementation as with our current implementation, which is based on zlib 1.2.8.

Comments regarding TurboVNC's exposure to the security issues in question:

  • CVE-2022-37434 is not applicable because TurboVNC never reads gzip headers via inflateGetHeader().
  • CVE-2016-9843 is probably not applicable because TurboVNC never directly performs CRC32 calculations. (That issue only affected big endian architectures anyhow, which are not officially supported by TurboVNC. Also, to the best of my understanding, the issue involved behavior that worked in reality but was technically undefined per the C standard.)
  • CVE-2018-25032 is not applicable because TurboVNC never uses Z_FIXED.

That being said, the new 1.2.13 Intel zlib implementation is easier to build and does a much better job of run-time CPU feature detection, so it's worth upgrading for those reasons. I am testing whether it makes sense to always use the system zlib implementation for non-x86 architectures.

from turbovnc.

cwlmco avatar cwlmco commented on June 25, 2024

Thanks for the update.

from turbovnc.

dcommander avatar dcommander commented on June 25, 2024

Since this is a non-critical issue, I have committed the new zlib code to the dev branch (TurboVNC 3.1 evolving.)

from turbovnc.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.