Forum » Support and Bug Reports »

Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Username

Subject

Message body

Font colour:

Font size:

Options

Disable BBCode in this post

Notify me when a reply is posted (registered users only)

Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

Filename

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

File Comment

Options

Private file (available to author and site moderators only)

Topic review

martin

2025-09-22

Related post with our updated information about zlib in WinSCP:
Critical Issue - CVE-2022-37434 - reported in versions of zlib libraries referenced by

martin

2023-09-07

The code in the link says at the very beginning (emphasis mine):

There will no doubt be criticism of my decision to reimplement Zlib compression from scratch instead of using the existing zlib code

danyvisi@gmail.com

2023-09-05 15:01

Dear all,

I asked BlackDuck to show us the evidence of using zlib library in WinSCP.
BlackDuck said WinSCP use zlib library in the PuTTY and sent me below link as evidence.
https://github.com/winscp/winscp/blob/5.21.8/source/putty/ssh/zlib.c

And also BlackDuck decided that WinSCP is using zlib library from below information.
I'm not sure but it seems that below is a result of command on the Linux.
BlackDuck said that this result show the license information of zlib and indicate to be used the zlib.

strings WinSCP.exe |grep -i 1\\.2

 deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler  inflate 1.2.7 Copyright 1995-2012 Mark Adler



strings WinSCP.exe |grep -i zlib

System.ZLib

System.ZLib

System.ZLib

System.ZLib

System.ZLib

EZLibError

EZLibError

System.ZLib

System.ZLib

System.ZLib

EPNGZLIBError

EPNGZLIBError

ZLIB

zlib compression

bio_zlib_flush

bio_zlib_new

bio_zlib_read

bio_zlib_write

zlib deflate error

zlib inflate error

zlib not supported

zlib

zlib@openssh.com

zlib (RFC1950)

Kind Regard,
Daniel

martin

2023-02-09

I do not think so. I cannot of course rule out possibility that parts of zlib code are copied into some 3rd party library WinSCP is using. But the actual zlib library is not used.

The zlib library can be used by OpenSSL and neon libraries. It was also used by FileZilla 2, on which WinSCP FTP implementation is built on. But zlib use is turned off in WinSCP for all those libraries.

The libs3 library is officially dependent on zlib via libxml2. Maybe that's where the detection comes from. But in WinSCP, the libs3 is reimplemented to use Expat instead of libxml2.

PuTTY (used by WinSCP as library for SSH) implements zlib, but it has its own implementation.

So there are lots of "zlib" mentions in WinSCP source code. But that does not mean WinSCP uses the actual "zlib" library.

danyvisi@gmail.com

2023-02-07 17:23

Maybe there are other external libraries that include zlib..

danyvisi@gmail.com

2023-02-07 17:22

Here is what the software reports

martin

Re: winscp and zlib

2022-06-30

I'm not aware of zlib being used in WinSCP.
Does the Black Duck show any details about how it detected zlib in WinSCP?

danyvisi@...

WinSCP and zlib

2022-06-30 07:27

Dear all,

While scanning latest version with Black Duck it reports usage of zlib 1.2.7 library with known vulnerabilities.
Does the project use this library and this version or should this be reported as false positive?

Regards
Daniel

Post a reply

Topic review

Re: winscp and zlib

WinSCP and zlib

Documentation

Support

Associations

Follow Us