|
Rank: Advanced Member Groups: Member
Joined: 3/10/2020 Posts: 59
|
We are using the EOWebbrowser.net dlls to load web pages in WPF application. We have a security finding the EO dll uses lower version zlib libraries.
We are using 20.0.53.0 versions of the EO dlls. Can you please confirm if you have upgraded version which uses non-vulnerable version of zlib dll.
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
Our DLLs does not depends or use any unmanaged DLLs. We do automatically uncompress the browser engine code in memory, which might triggers the false alarm. So you can ignore this alert.
Thanks!
|
|
Rank: Advanced Member Groups: Member
Joined: 3/10/2020 Posts: 59
|
We worked with the security team and they provided us steps to recreate. From the below it appears the older version of zlib libraries are referred in eowp.exe. Please advise.
Steps to Reproduce: 1. Install EO application in windows 2. Copy the entire application folder from Windows into Linux, OR install grep and strings for Windows 3. Run the following command inside the EO application grep -r libpng . 4. run strings on each of the results with the following command cat <filename>| grep libpng 5. Observe the versions that are returned 6. Run the following command for A in `grep -lr Mark\ Adler`; do echo $A; strings $A | grep Adler; done ; 7. Observe the line with the keywords deflate and inflate 8. Compare these lines to the zlib opensource code
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
Thanks for the additional information. We do have code that are based on open source zlib's source code, that's why you see some "signatures" of zlib in our code. However:
1. We do NOT directly reference a specific version of zlib; 2. The unzip code we use are for unziping embedded browser engine code only. No other input are used by that code;
We will review and update this portion of code in our next release, which should be available in January.
Thanks!
|
|
Rank: Advanced Member Groups: Member
Joined: 3/10/2020 Posts: 59
|
Can you please let us know the release date in January.
Thanks
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi, We have already reviewed and updated this part in our current build. Please keep in mind that you can not simply search for some signatures to conclude that the version used is not secure. After our review, we have concluded two places where zlib based code are used and both have been updated. 1. When we dynamically unzip and load the browser engine code as previously mentioned; 2. Our product is based on Google's Chromium project, and Chromium also uses zlib: https://source.chromium.org/chromium/chromium/src/+/master:third_party/zlib/ As a result, you will always find zlib signatures in the final binary. We expect to update this again in the future to stay up to date with newer versions. Thanks!
|
|
Rank: Advanced Member Groups: Member
Joined: 3/10/2020 Posts: 59
|
We discussed this item with our internal security review team and we need to know the explanation for having the the entry C:\Development\OpenSource\zlib-1.2.8\contrib\vstudio\vc11\x86\ZlibDllRelease\zlibwapi.pdb in eowp.exe. As stated in this post, this may not be the direct reference from eo assemblies and may be part of Chromium. Requesting you to confirm the entry in eowp.exe is not part of essential objects executable and it corresponds to Chromium .
To recreate the issue, 1. Unzip the "eowp.exe" using 7zip app 2. Open .data file in notepad 3. Search for zlib.
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
eowp.exe is not part of Chromium, it is a part of our product. We use eowp.exe to start child process. However you do not have to use or distribute eowp.exe. When eowp.exe is not used, our library uses Window's system file rundll32.exe to start child process.
As we have already explained in our previous reply, there are two places zlib based code are used: one is when we load browser engine code (chromium) and the other is in the chromium engine itself. The version Chromium uses is based on zlib 1.2.11. The version we use is based on zlib 1.2.8, which is slightly older. This is the one in eowp.exe. However we do not directly link to zlib, instead we use code modified based on their code. The pdb file you see is the internal debug information embedded inside the executable file to aid debug in dev environment. It does not mean we are linked to an external zlib DLL directly. We did update the zlib codebase since early version is based on an older version.
Thanks!
|
|
Rank: Advanced Member Groups: Member
Joined: 3/10/2020 Posts: 59
|
We discussed using zlib libraries with our security team again and they updated us that they are vulnerabilities in zlib 1.2.8 as listed in the link below. To mitigate these vulnerabilities they requested us to either upgrade the version to 1.2.11 or provide us the evidence (can be the modified code snippet that you mentioned before) that eowp.exe and the zlib libraries (used within eowp) is NOT directly linked. https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-1820/version_id-214474/GNU-Zlib-1.2.8.html
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
We have already told you multiple times about why we believe our product is safe because:
1. We DO NOT expose any zlib routines to any external code. The only place this is used is to unzip the compressed code inside our DLL and none of these data or routine is exposed anywhere; 2. Nor that the zlib DLL is directly linked to our code as the unzip code are embeded inside eowp.exe, as evident that you do not see a zlib.dll anywhere;
We believe the fact that your security team concludes that the code is not secure merely because we have debug information embedded inside our executable is not only highly invasive but also extremely questionable.
As always, we will be constantly move along to update to newer versions (most likely we will update to 1.2.11 in our next major update in the summer). But in the mean time I am afraid there isn't much else we can tell you.
Thanks!
|
|
Rank: Administration Groups: Administration
Joined: 5/27/2007 Posts: 24,217
|
Hi,
This is just to let you know that we have posted build 21.0.32 that updated eowp.exe to be based on zlib 1.2.11.
Thanks!
|
|