|
Rank: Member Groups: Member
Joined: 3/10/2020 Posts: 18
|
We are using the EOWebbrowser.net dlls to load web pages in WPF application. We have a security finding the EO dll uses lower version zlib libraries.
We are using 20.0.53.0 versions of the EO dlls. Can you please confirm if you have upgraded version which uses non-vulnerable version of zlib dll.
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 22,623
|
Hi,
Our DLLs does not depends or use any unmanaged DLLs. We do automatically uncompress the browser engine code in memory, which might triggers the false alarm. So you can ignore this alert.
Thanks!
|
|
Rank: Member Groups: Member
Joined: 3/10/2020 Posts: 18
|
We worked with the security team and they provided us steps to recreate. From the below it appears the older version of zlib libraries are referred in eowp.exe. Please advise.
Steps to Reproduce: 1. Install EO application in windows 2. Copy the entire application folder from Windows into Linux, OR install grep and strings for Windows 3. Run the following command inside the EO application grep -r libpng . 4. run strings on each of the results with the following command cat <filename>| grep libpng 5. Observe the versions that are returned 6. Run the following command for A in `grep -lr Mark\ Adler`; do echo $A; strings $A | grep Adler; done ; 7. Observe the line with the keywords deflate and inflate 8. Compare these lines to the zlib opensource code
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 22,623
|
Hi,
Thanks for the additional information. We do have code that are based on open source zlib's source code, that's why you see some "signatures" of zlib in our code. However:
1. We do NOT directly reference a specific version of zlib; 2. The unzip code we use are for unziping embedded browser engine code only. No other input are used by that code;
We will review and update this portion of code in our next release, which should be available in January.
Thanks!
|
|
Rank: Member Groups: Member
Joined: 3/10/2020 Posts: 18
|
Can you please let us know the release date in January.
Thanks
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 22,623
|
Hi, We have already reviewed and updated this part in our current build. Please keep in mind that you can not simply search for some signatures to conclude that the version used is not secure. After our review, we have concluded two places where zlib based code are used and both have been updated. 1. When we dynamically unzip and load the browser engine code as previously mentioned; 2. Our product is based on Google's Chromium project, and Chromium also uses zlib: https://source.chromium.org/chromium/chromium/src/+/master:third_party/zlib/ As a result, you will always find zlib signatures in the final binary. We expect to update this again in the future to stay up to date with newer versions. Thanks!
|
|