Skip to content

CMake: Windows: harden install by including zlib1.dll#743

Merged
ReenigneArcher merged 1 commit intoLizardByte:nightlyfrom
psyke83:windows_zlib
Jan 10, 2023
Merged

CMake: Windows: harden install by including zlib1.dll#743
ReenigneArcher merged 1 commit intoLizardByte:nightlyfrom
psyke83:windows_zlib

Conversation

@psyke83
Copy link
Contributor

@psyke83 psyke83 commented Jan 10, 2023

Description

mingw's openssl library is built using the "zlib-dynamic" flag, which invokes LoadLibrary() of zlib1.dll during runtime to allow openssl to function if no zlib.dll is installed.

This is a problem because it prevents static linkage of zlib, thus opening a security vulnerability by which a malicious zlib1.dll can be loaded from any valid system dll search path.

Increase security by including the mingw version of zlib1.dll in the application path, which will override any other versions.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Dependency update (updates to dependencies)
  • Documentation update (changes to documentation)
  • Repository update (changes to repository files, e.g. .github/...)

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

Branch Updates

LizardByte requires that branches be up-to-date before merging. This means that after any PR is merged, this branch
must be updated before it can be merged. You must also
Allow edits from maintainers.

  • I want maintainers to keep my branch updated

@psyke83 psyke83 marked this pull request as ready for review January 10, 2023 03:16
@psyke83 @ReenigneArcher
CMake: Windows: harden install by including zlib1.dll
be84f7f 
mingw's openssl library is built using the "zlib-dynamic" flag, which
invokes LoadLibrary() of zlib1.dll during runtime to allow openssl to
function if no zlib.dll is installed.

This is a problem because it prevents static linkage of zlib, thus
opening a security vulnerability by which a malicious zlib1.dll can
be loaded from any valid system dll search path.

Increase security by including the mingw version of zlib1.dll in the
application path, which will override any other versions.
@ReenigneArcher ReenigneArcher merged commit b405888 into LizardByte:nightly Jan 10, 2023
@psyke83 psyke83 deleted the windows_zlib branch February 15, 2026 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgutman cgutman cgutman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@psyke83 @cgutman @ReenigneArcher