Zlib version

mbathala1 · April 5, 2021, 3:20pm

The openNURBS 7 and openNURBS 6 toolkit uses zlib version 1.2.3. Our tool reported zlib 1.2.3 as vulnerable.

The most recent version of zlib.available on “https://zlib.net/” is 1.2.11. Are there any plans to move to move to zlib version 1.2.11 in openNURBS 7.0?

Thank you
Mallikarjuna Bathala
PTC Inc.

nathanletwory · March 26, 2021, 7:41am

No plans that I am aware of, but I have logged your request as RH-63503 Update OpenNURBS zlib to 1.2.11.

If you have links to vulnerability reports regarding the current zlib version please share them here, too.

gankeyu · March 26, 2021, 7:44am

Maybe he’s referring to

CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843

?

jeremy5 · March 26, 2021, 9:30am

From the change log there have been a lot of bug fixes and some performance improvements too. Worth a look…

darbyjohnston · March 26, 2021, 4:13pm

ZLIB 1.2.11 also fixes a bunch of issues with symbol visibility:

mbathala1 · March 30, 2021, 11:43am

Here are the vulnerability reports:
CVE-2016-9841
CVE-2016-9843
CVE-2016-9840
CVE-2016-9842

This is a critical issue for us and want to fix it as soon as possible.
Can I update zlib library to 1.2.11 at our end and validate it? Is it legal?

Thanks
Mallikarjuna Bathala

dale · March 30, 2021, 9:45pm

Hi @mbathala1,

Thanks for pointing out the vulnerability issues. We’ll take these into consideration for the next release of Rhino and openNURBS.

https://mcneel.myjetbrains.com/youtrack/issue/RH-63503

Upgrading the version of zlib used by openNURBS will require a lot of careful backward compatibility testing. We have millions of compressed meshes in existing 3dm data sets.

Thanks,

– Dale

dale · March 30, 2021, 9:47pm

Hi @darbyjohnston,

I suspect you are statically linking two zlibs into the same exe/dll. I suggest you use opennurbs as a DLL.

We use the zlib approved way to decorate the public symbols.

Thanks,

– Dale

darbyjohnston · March 30, 2021, 10:28pm

Hi @dale, if I remember correctly the issue is that earlier versions of zlib don’t have all of the symbols decorated with the Z_PREFIX macro. I believe ZLIB 1.2.11 fixes most but not all of these. I have an old branch on GitHub where I tried fixing these up and was able to link a static version of ZLIB:

That branch also adds CMake support for opennurbs; would there be any interest in merging that if I submitted a PR?

Thanks, Darby

dale · March 30, 2021, 10:32pm

Thanks, but we have a developer working on this…

– Dale

mbathala1 · March 31, 2021, 4:56am

I noticed that this would be considered for 8.x? Could you let us know the tentative release schedule of 8.x?

dale · March 31, 2021, 2:57pm

Hi @mbathala1,

There is no tentative release schedule for Rhino 8. We just release Rhino 7 back in November. Rhino 6 was released two years prior to that, just for some perspective.

Thanks,

– Dale

mbathala1 · April 1, 2021, 10:36am

Ok, thank you for the info.

Currently we use openNURBS 5 (as a DLL) to read Rhino models. We built openNURBS 5 DLL with Microsoft Visual Studio 2010 SP1. But, it is dependent on vulnerable Microsoft runtime DLL “msvcr100.dll”.

So, we are planning to build openNURBS 5 with Microsoft Visual Studio 2019 (Update 7) for now. Is that fine?

Initially we planned to move to openNURBS 7, but, it looks like there is a major change in openNURBS 6/7 architecture. So, we have to rewrite import code that would take considerable time.

So, for now we are planning to compile openNURBS 5 with Visual Studio 2019.

Thanks
Mallikarjuna Bathala
PTC Inc.

dale · April 1, 2021, 6:03pm

Hi @mbathala1,

I doubt anyone here (at McNeel) has tried building openNURBS 5 with Visual C++ 2019. Let us know if you run into any issues.

Certainly, this is your decision. My guess is that most if our customers are using newer versions of Rhino. Thus, you won’t be able to read .3dm files from them.

Regards,

– Dale

mbathala1 · April 5, 2021, 3:10pm

openNURBS 5 with VC++ 2019 built successfully and NO issues found so far.
Thanks
Mallikarjuna Bathala