[oe-commits] [openembedded-core] 45/53: zlib: Fix CVE-2016-9841
git at git.openembedded.org
git at git.openembedded.org
Tue Nov 21 14:45:06 UTC 2017
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch morty
in repository openembedded-core.
commit aa650d4f5eb2b671e76d7c4da3ef080e26eed543
Author: George McCollister <george.mccollister at gmail.com>
AuthorDate: Tue Nov 14 14:01:04 2017 -0600
zlib: Fix CVE-2016-9841
Add backported patch to fix CVE-2016-9841 which was fixed in zlib 1.2.9
https://nvd.nist.gov/vuln/detail/CVE-2016-9841
Signed-off-by: George McCollister <george.mccollister at gmail.com>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../zlib/zlib-1.2.8/CVE-2016-9841.patch | 230 +++++++++++++++++++++
meta/recipes-core/zlib/zlib_1.2.8.bb | 1 +
2 files changed, 231 insertions(+)
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
new file mode 100644
index 0000000..9cf7a77
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9841.patch
@@ -0,0 +1,230 @@
+commit 9aaec95e82117c1cb0f9624264c3618fc380cecb
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date: Wed Sep 21 22:25:21 2016 -0700
+
+ Use post-increment only in inffast.c.
+
+ An old inffast.c optimization turns out to not be optimal anymore
+ with modern compilers, and furthermore was not compliant with the
+ C standard, for which decrementing a pointer before its allocated
+ memory is undefined. Per the recommendation of a security audit of
+ the zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this "optimization" was removed, in order to
+ avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
+
+CVE: CVE-2016-9841
+
+Signed-off-by: George McCollister <george.mccollister at gmail.com>
+
+diff --git a/inffast.c b/inffast.c
+index bda59ce..f0d163d 100644
+--- a/inffast.c
++++ b/inffast.c
+@@ -10,25 +10,6 @@
+
+ #ifndef ASMINF
+
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+- Based on testing to date,
+- Pre-increment preferred for:
+- - PowerPC G3 (Adler)
+- - MIPS R5000 (Randers-Pehrson)
+- Post-increment preferred for:
+- - none
+- No measurable difference:
+- - Pentium III (Anderson)
+- - M68060 (Nikl)
+- */
+-#ifdef POSTINC
+-# define OFF 0
+-# define PUP(a) *(a)++
+-#else
+-# define OFF 1
+-# define PUP(a) *++(a)
+-#endif
+-
+ /*
+ Decode literal, length, and distance codes and write out the resulting
+ literal and match bytes until either not enough input or output is
+@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+
+ /* copy state to local variables */
+ state = (struct inflate_state FAR *)strm->state;
+- in = strm->next_in - OFF;
++ in = strm->next_in;
+ last = in + (strm->avail_in - 5);
+- out = strm->next_out - OFF;
++ out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ input data or output space */
+ do {
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = lcode[hold & lmask];
+@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
+ "inflate: literal '%c'\n" :
+ "inflate: literal 0x%02x\n", here.val));
+- PUP(out) = (unsigned char)(here.val);
++ *out++ = (unsigned char)(here.val);
+ }
+ else if (op & 16) { /* length base */
+ len = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (op) {
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ len += (unsigned)hold & ((1U << op) - 1);
+@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ }
+ Tracevv((stderr, "inflate: length %u\n", len));
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = dcode[hold & dmask];
+@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ dist = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ }
+@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+ if (len <= op - whave) {
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--len);
+ continue;
+ }
+ len -= op - whave;
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--op > whave);
+ if (op == 0) {
+ from = out - dist;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--len);
+ continue;
+ }
+ #endif
+ }
+- from = window - OFF;
++ from = window;
+ if (wnext == 0) { /* very common case */
+ from += wsize - op;
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from end of window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+- from = window - OFF;
++ from = window;
+ if (wnext < len) { /* some from start of window */
+ op = wnext;
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+ }
+ while (len > 2) {
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ }
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ else {
+ from = out - dist; /* copy direct from output */
+ do { /* minimum length is three */
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ } while (len > 2);
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ }
+@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ hold &= (1U << bits) - 1;
+
+ /* update state and return */
+- strm->next_in = in + OFF;
+- strm->next_out = out + OFF;
++ strm->next_in = in;
++ strm->next_out = out;
+ strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+ strm->avail_out = (unsigned)(out < end ?
+ 257 + (end - out) : 257 - (out - end));
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index b6a4c68..88f6061 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -11,6 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://Makefile-runtests.patch \
file://ldflags-tests.patch \
file://CVE-2016-9840.patch \
+ file://CVE-2016-9841.patch \
file://run-ptest \
"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list