WinSCP and zlib

Advertisement

danyvisi@...
Guest

WinSCP and zlib

Dear all,

While scanning latest version with Black Duck it reports usage of zlib 1.2.7 library with known vulnerabilities.
Does the project use this library and this version or should this be reported as false positive?

Regards
Daniel

winscp.JPG

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,587
Location:
Prague, Czechia

Re: winscp and zlib

I'm not aware of zlib being used in WinSCP.
Does the Black Duck show any details about how it detected zlib in WinSCP?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,587
Location:
Prague, Czechia

I do not think so. I cannot of course rule out possibility that parts of zlib code are copied into some 3rd party library WinSCP is using. But the actual zlib library is not used.

The zlib library can be used by OpenSSL and neon libraries. It was also used by FileZilla 2, on which WinSCP FTP implementation is built on. But zlib use is turned off in WinSCP for all those libraries.

The libs3 library is officially dependent on zlib via libxml2. Maybe that's where the detection comes from. But in WinSCP, the libs3 is reimplemented to use Expat instead of libxml2.

PuTTY (used by WinSCP as library for SSH) implements zlib, but it has its own implementation.

So there are lots of "zlib" mentions in WinSCP source code. But that does not mean WinSCP uses the actual "zlib" library.

Reply with quote

Advertisement

danyvisi@gmail.com
Joined:
Posts:
3
Location:
romania

Dear all,

I asked BlackDuck to show us the evidence of using zlib library in WinSCP.
BlackDuck said WinSCP use zlib library in the PuTTY and sent me below link as evidence.
https://github.com/winscp/winscp/blob/5.21.8/source/putty/ssh/zlib.c

And also BlackDuck decided that WinSCP is using zlib library from below information.
I'm not sure but it seems that below is a result of command on the Linux.
BlackDuck said that this result show the license information of zlib and indicate to be used the zlib.

strings WinSCP.exe |grep -i 1\\.2
 deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler  inflate 1.2.7 Copyright 1995-2012 Mark Adler

strings WinSCP.exe |grep -i zlib
System.ZLib
System.ZLib
System.ZLib
System.ZLib
System.ZLib
EZLibError
EZLibError
System.ZLib
System.ZLib
System.ZLib
EPNGZLIBError
EPNGZLIBError
ZLIB
zlib compression
bio_zlib_flush
bio_zlib_new
bio_zlib_read
bio_zlib_write
zlib deflate error
zlib inflate error
zlib not supported
zlib
zlib@openssh.com
zlib (RFC1950)
Kind Regard,
Daniel

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
40,587
Location:
Prague, Czechia

The code in the link says at the very beginning (emphasis mine):
There will no doubt be criticism of my decision to reimplement Zlib compression from scratch instead of using the existing zlib code

Reply with quote

Advertisement

You can post new topics in this forum