As you said that TF-A uses zlib only for decompression while the fix between 1.2.11 & 1.2.12 was for compression(deflation), so these fixes won't impact TF-A.

Considering 1.2.12 already has known bugs related with CRC32 (https://github.com/madler/zlib/issues/618), it makes more sense to not upgrade yet.

Once the fix for CRC32 available in any future release (1.2.12.x or something) we will pick it up.

Thanks

Manish

From: mikemcternan--- via TF-A <tf-a@lists.trustedfirmware.org>
Sent: 08 June 2022 11:14
To: tf-a@lists.trustedfirmware.org <tf-a@lists.trustedfirmware.org>
Subject: [TF-A] Version 1.2.12 of zlib was released

Hi!

It looks like TF-A contains zlib 1.2.11 e.g. https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/lib/zlib/zlib.h

zlib.net gives their last release as 1.2.12 (March 27, 2022) with the following changelog:

"Fix a deflate bug when using the Z_FIXED strategy that can result in out-of-bound accesses.
Fix a deflate bug when the window is full in deflate_stored().
Speed up CRC-32 computations by a factor of 1.5 to 3.
Use the hardware CRC-32 instruction on ARMv8 processors.
Speed up crc32_combine() with powers of x tables.
Add crc32_combine_gen() and crc32_combine_op() for fast combines.

Due to the bug fixes, any installations of 1.2.11 should be replaced with 1.2.12."

I'm not sure if this is significant as I couldn't find usages of deflate, but thought I would mention it in case others are relying on this functionality and wish to update.

Kind regards,

Mike
--
TF-A mailing list -- tf-a@lists.trustedfirmware.org
To unsubscribe send an email to tf-a-leave@lists.trustedfirmware.org