[oe-commits] [openembedded-core] 44/53: zlib: Fix CVE-2016-9840

git at git.openembedded.org git at git.openembedded.org
Tue Nov 21 14:45:05 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch morty
in repository openembedded-core.

commit c34064cceeb56806ed8ddf3aff73a3971378066c
Author: George McCollister <george.mccollister at gmail.com>
AuthorDate: Tue Nov 14 14:01:03 2017 -0600

    zlib: Fix CVE-2016-9840
    
    Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9
    
    https://nvd.nist.gov/vuln/detail/CVE-2016-9840
    
    Signed-off-by: George McCollister <george.mccollister at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../zlib/zlib-1.2.8/CVE-2016-9840.patch            | 77 ++++++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.2.8.bb               |  1 +
 2 files changed, 78 insertions(+)

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
new file mode 100644
index 0000000..4f0d2c6
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
@@ -0,0 +1,77 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date:   Wed Sep 21 23:35:50 2016 -0700
+
+    Remove offset pointer optimization in inftrees.c.
+    
+    inftrees.c was subtracting an offset from a pointer to an array,
+    in order to provide a pointer that allowed indexing starting at
+    the offset. This is not compliant with the C standard, for which
+    the behavior of a pointer decremented before its allocated memory
+    is undefined. Per the recommendation of a security audit of the
+    zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this tiny optimization was removed, in order
+    to avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
+
+CVE: CVE-2016-9840
+
+Signed-off-by: George McCollister <george.mccollister at gmail.com>
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/inftrees.c
++++ b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
++    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
++        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
++        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
++        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         here.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
++        if (work[sym] + 1 < match) {
+             here.op = (unsigned char)0;
+             here.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            here.op = (unsigned char)(extra[work[sym]]);
+-            here.val = base[work[sym]];
++        else if (work[sym] >= match) {
++            here.op = (unsigned char)(extra[work[sym] - match]);
++            here.val = base[work[sym] - match];
+         }
+         else {
+             here.op = (unsigned char)(32 + 64);         /* end of block */
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index 913c703..b6a4c68 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
            file://remove.ldconfig.call.patch \
            file://Makefile-runtests.patch \
            file://ldflags-tests.patch \
+           file://CVE-2016-9840.patch \
            file://run-ptest \
            "
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list