From c34064cceeb56806ed8ddf3aff73a3971378066c Mon Sep 17 00:00:00 2001 From: George McCollister Date: Tue, 14 Nov 2017 14:01:03 -0600 Subject: zlib: Fix CVE-2016-9840 Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9840 Signed-off-by: George McCollister Signed-off-by: Armin Kuster --- .../zlib/zlib-1.2.8/CVE-2016-9840.patch | 77 ++++++++++++++++++++++ meta/recipes-core/zlib/zlib_1.2.8.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch (limited to 'meta/recipes-core') diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch new file mode 100644 index 0000000000..4f0d2c6975 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch @@ -0,0 +1,77 @@ +commit 6a043145ca6e9c55184013841a67b2fef87e44c0 +Author: Mark Adler +Date: Wed Sep 21 23:35:50 2016 -0700 + + Remove offset pointer optimization in inftrees.c. + + inftrees.c was subtracting an offset from a pointer to an array, + in order to provide a pointer that allowed indexing starting at + the offset. This is not compliant with the C standard, for which + the behavior of a pointer decremented before its allocated memory + is undefined. Per the recommendation of a security audit of the + zlib code by Trail of Bits and TrustInSoft, in support of the + Mozilla Foundation, this tiny optimization was removed, in order + to avoid the possibility of undefined behavior. + +Upstream-Status: Backport +http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz +https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 + +CVE: CVE-2016-9840 + +Signed-off-by: George McCollister + +diff --git a/inftrees.c b/inftrees.c +index 22fcd66..0d2670d 100644 +--- a/inftrees.c ++++ b/inftrees.c +@@ -54,7 +54,7 @@ unsigned short FAR *work; + code FAR *next; /* next available space in table */ + const unsigned short FAR *base; /* base value table to use */ + const unsigned short FAR *extra; /* extra bits table to use */ +- int end; /* use base and extra for symbol > end */ ++ unsigned match; /* use base and extra for symbol >= match */ + unsigned short count[MAXBITS+1]; /* number of codes of each length */ + unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ + static const unsigned short lbase[31] = { /* Length codes 257..285 base */ +@@ -181,19 +181,17 @@ unsigned short FAR *work; + switch (type) { + case CODES: + base = extra = work; /* dummy value--not used */ +- end = 19; ++ match = 20; + break; + case LENS: + base = lbase; +- base -= 257; + extra = lext; +- extra -= 257; +- end = 256; ++ match = 257; + break; + default: /* DISTS */ + base = dbase; + extra = dext; +- end = -1; ++ match = 0; + } + + /* initialize state for loop */ +@@ -216,13 +214,13 @@ unsigned short FAR *work; + for (;;) { + /* create table entry */ + here.bits = (unsigned char)(len - drop); +- if ((int)(work[sym]) < end) { ++ if (work[sym] + 1 < match) { + here.op = (unsigned char)0; + here.val = work[sym]; + } +- else if ((int)(work[sym]) > end) { +- here.op = (unsigned char)(extra[work[sym]]); +- here.val = base[work[sym]]; ++ else if (work[sym] >= match) { ++ here.op = (unsigned char)(extra[work[sym] - match]); ++ here.val = base[work[sym] - match]; + } + else { + here.op = (unsigned char)(32 + 64); /* end of block */ diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index 913c7033d4..b6a4c687ca 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb @@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ file://remove.ldconfig.call.patch \ file://Makefile-runtests.patch \ file://ldflags-tests.patch \ + file://CVE-2016-9840.patch \ file://run-ptest \ " -- cgit 1.2.3-korg