System Information
OpenCV version: all versions
Operating System: NA
Compiler & compiler version: NA
Detailed description
Following the OpenCV forum post here:
https://forum.opencv.org/t/zlib-update-to-resolve-security-vulnerability/10861
there are reports of a Critical severity security vulnerability in zlib through the 1.2.12 version: https://cve.report/CVE-2022-37434
OpenCV does not invoke the vulnerable inflateGetHeader() routine from zlib:
https://github.com/opencv/opencv/search?q=inflategetheader
So this is not a true security vulnerability in OpenCV. However, security scanning tools will still flag OpenCV as vulnerable, which is a problem with customers when OpenCV is part of (a commercial) application.
The latest zlib version used by any of the OpenCV versions is 1.2.12, so all OpenCV versions contain the vulnerable zlib version.
The vulnerability is resolved in zlib 1.2.13: https://www.zlib.net/
OpenCV version 4.5.3 was built and tested successfully with zlib 1.2.13, so the vulnerability may be removed by replacing the current zlib version used by OpenCV (1.2.12) with the new zlib version.
Steps to reproduce
The README of zlib used by OpenCV states that its version is 1.2.12: https://github.com/opencv/opencv/blob/4.x/3rdparty/zlib/README
Issue submission checklist
System Information
OpenCV version: all versions
Operating System: NA
Compiler & compiler version: NA
Detailed description
Following the OpenCV forum post here:
https://forum.opencv.org/t/zlib-update-to-resolve-security-vulnerability/10861
there are reports of a Critical severity security vulnerability in zlib through the 1.2.12 version: https://cve.report/CVE-2022-37434
OpenCV does not invoke the vulnerable inflateGetHeader() routine from zlib:
https://github.com/opencv/opencv/search?q=inflategetheader
So this is not a true security vulnerability in OpenCV. However, security scanning tools will still flag OpenCV as vulnerable, which is a problem with customers when OpenCV is part of (a commercial) application.
The latest zlib version used by any of the OpenCV versions is 1.2.12, so all OpenCV versions contain the vulnerable zlib version.
The vulnerability is resolved in zlib 1.2.13: https://www.zlib.net/
OpenCV version 4.5.3 was built and tested successfully with zlib 1.2.13, so the vulnerability may be removed by replacing the current zlib version used by OpenCV (1.2.12) with the new zlib version.
Steps to reproduce
The README of zlib used by OpenCV states that its version is 1.2.12: https://github.com/opencv/opencv/blob/4.x/3rdparty/zlib/README
Issue submission checklist