Logo
My Account |  Site Map | Contact Us  
Welcome Guest Search | Active Topics | Sign In | Register

EO.Browser for WPF Application Options
bnymellon
Posted: Thursday, November 12, 2020 8:58:45 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 17
We are using the EOWebbrowser.net dlls to load web pages in WPF application.
We have a security finding the EO dll uses lower version zlib libraries.

We are using 20.0.53.0 versions of the EO dlls. Can you please confirm if you have upgraded version which uses non-vulnerable version of zlib dll.
eo_support
Posted: Thursday, November 12, 2020 9:30:22 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,553
Hi,

Our DLLs does not depends or use any unmanaged DLLs. We do automatically uncompress the browser engine code in memory, which might triggers the false alarm. So you can ignore this alert.

Thanks!
bnymellon
Posted: Monday, November 23, 2020 8:41:39 AM
Rank: Member
Groups: Member

Joined: 3/10/2020
Posts: 17
We worked with the security team and they provided us steps to recreate. From the below it appears the older version of zlib libraries are referred in eowp.exe. Please advise.

Steps to Reproduce:
1. Install EO application in windows
2. Copy the entire application folder from
Windows into Linux, OR install grep and strings
for Windows
3. Run the following command inside the EO
application
grep -r libpng .
4. run strings on each of the results with the
following command
cat <filename>| grep libpng
5. Observe the versions that are returned
6. Run the following command
for A in `grep -lr Mark\ Adler`; do echo $A;
strings $A | grep Adler; done ;
7. Observe the line with the keywords deflate and
inflate
8. Compare these lines to the zlib opensource code

eo_support
Posted: Monday, November 23, 2020 10:32:25 AM
Rank: Administration
Groups: Administration

Joined: 5/27/2007
Posts: 22,553
Hi,

Thanks for the additional information. We do have code that are based on open source zlib's source code, that's why you see some "signatures" of zlib in our code. However:

1. We do NOT directly reference a specific version of zlib;
2. The unzip code we use are for unziping embedded browser engine code only. No other input are used by that code;

We will review and update this portion of code in our next release, which should be available in January.

Thanks!


You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.