-
由 Omair Majid 提交于
This is mainly motivated by the March 2022 release of .NET 5. .NET 5 was found to be vulnerable to CVE-2020-8927, which was caused by the older version of brotli built into .NET. .NET was vulernable even in environments where a system-wide version of brotli was present and had already received fixes for this CVE. We could have avoided a Remote Code Execution vulnerability in such environments by using the system's version of brotli. This is similar to the existing support for disabling distro-agnostic OpenSSL (except no OpenSSL is embedded) and using the system libunwind (a copy of libunwind is embedded this repo). One small twist is the presence of entrypoint verification. In a system-brotli build, the verification fails, because the built library, libSystem.IO.Compression.Native.so, doesn't include the symbols for Brotli. Those symbols are instead used from the system brotli libraries.
5ca92236