From 32db742922b6e4127d65abf42905a07eca6a2255 Mon Sep 17 00:00:00 2001
From: George McCollister <george.mccollister@gmail.com>
Date: Tue, 14 Nov 2017 14:01:06 -0600
Subject: zlib: Fix CVE-2016-9843

Add backported patch to fix CVE-2016-9843 which was fixed in zlib 1.2.9

https://nvd.nist.gov/vuln/detail/CVE-2016-9843

Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9843.patch            | 55 ++++++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.2.8.bb               |  1 +
 2 files changed, 56 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch

(limited to 'meta/recipes-core')

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
new file mode 100644
index 0000000000..1ff8acf265
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
@@ -0,0 +1,55 @@
+commit d1d577490c15a0c6862473d7576352a9f18ef811
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date:   Wed Sep 28 20:20:25 2016 -0700
+
+    Avoid pre-decrement of pointer in big-endian CRC calculation.
+    
+    There was a small optimization for PowerPCs to pre-increment a
+    pointer when accessing a word, instead of post-incrementing. This
+    required prefacing the loop with a decrement of the pointer,
+    possibly pointing before the object passed. This is not compliant
+    with the C standard, for which decrementing a pointer before its
+    allocated memory is undefined. When tested on a modern PowerPC
+    with a modern compiler, the optimization no longer has any effect.
+    Due to all that, and per the recommendation of a security audit of
+    the zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this "optimization" was removed, in order to
+    avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
+
+CVE: CVE-2016-9843
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+ 
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+         c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+             crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+     }
+ 
+     buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+-    buf4--;
+     while (len >= 32) {
+         DOBIG32;
+         len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+         DOBIG4;
+         len -= 4;
+     }
+-    buf4++;
+     buf = (const unsigned char FAR *)buf4;
+ 
+     if (len) do {
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index eb38589b6a..338d0f9573 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://CVE-2016-9840.patch \
            file://CVE-2016-9841.patch \
            file://CVE-2016-9842.patch \
+           file://CVE-2016-9843.patch \
            file://run-ptest \
            "
 
-- 
cgit 1.2.3-korg