[zlib] update to 1.3.1

[carsten-grimm-at-ipolog]

Library name

zlib

New version number

1.3.1

Other information that may be useful (release notes, etc...)

Release notes: https://github.com/madler/zlib/releases/tag/v1.3.1

This release was also anticipated, due to an issue related to scoring vulnerabilities: madler/zlib#868

A pull request will be ready shortly.

[Neustradamus]

@carsten-grimm-at-ipolog: Thanks for your PR, 2 CVE fixes have been added into Zlib 1.3.1 for Minizip.

[dg0yt]

... and minizip is a separate port.

[carsten-grimm-at-ipolog]

@carsten-grimm-at-ipolog: Thanks for your PR, 2 CVE fixes have been added into Zlib 1.3.1 for Minizip.

Thanks, @Neustradamus , for pointing this out. My understanding is that this port does not build the examples from zlib and, thus, does not build minizip. This was the case for the previous version of the port and is now simplified by the new compile option to disable the examples in zlib. Hence, even the previous version of the port for zlib 1.3 should not have been affected by CVE-2023-45853. But that may not have been obvious, especially not to vulnerability scanners that are based on version numbers.

@dg0yt, I am slightly confused. I see two ports that seem to refer to minizip: minizip and minizip-ng.

• minizip is based on version 1.3 of madler/zlib. I do not see a patch for CVE-2023-45853 (in that port).
• minizip-ng is based on zlib-ng/minizip-ng at version 4.0.4

I might be able to look into this on the weekend, but I cannot promise anything, as I am not familiar with minizip.

[Neustradamus]

Ok no problem, for second fixed CVE, it is CVE-2014-9485 from 2014 and the PR is here:

• contrib/minizip: neutralize traversal attacks in miniunz cli madler/zlib#908