[packages/zlib] upstream fix for CVE-2022-37434; rel 4
atler
atler at pld-linux.org
Mon Aug 15 12:13:52 CEST 2022
commit 39d59a8fd06a147a7e947763302ffaccaf047359
Author: Jan Palus <atler at pld-linux.org>
Date: Mon Aug 15 12:07:25 2022 +0200
upstream fix for CVE-2022-37434; rel 4
CVE-2022-37434.patch | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++
zlib.spec | 4 +++-
2 files changed, 64 insertions(+), 1 deletion(-)
---
diff --git a/zlib.spec b/zlib.spec
index b634aba..5d48d58 100644
--- a/zlib.spec
+++ b/zlib.spec
@@ -18,7 +18,7 @@ Summary(tr.UTF-8): Sıkıştırma işlemleri için kitaplık
Summary(uk.UTF-8): Бібліотека для компресії та декомпресії
Name: zlib
Version: 1.2.12
-Release: 3
+Release: 4
License: BSD
Group: Libraries
Source0: http://www.zlib.net/current/%{name}-%{version}.tar.gz
@@ -26,6 +26,7 @@ Source0: http://www.zlib.net/current/%{name}-%{version}.tar.gz
Patch0: %{name}-asm.patch
Patch1: cc.patch
Patch2: java-regr-workaround.patch
+Patch3: CVE-2022-37434.patch
URL: http://www.zlib.net/
BuildRequires: autoconf >= 2.50
BuildRequires: automake
@@ -306,6 +307,7 @@ cp contrib/amd64/amd64-match.S match.S
%endif
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
CC="%{__cc}" \
diff --git a/CVE-2022-37434.patch b/CVE-2022-37434.patch
new file mode 100644
index 0000000..4fd6e5b
--- /dev/null
+++ b/CVE-2022-37434.patch
@@ -0,0 +1,61 @@
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork at madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c6366..7a7289749 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
++ len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+- state->head->extra != Z_NULL) {
+- len = state->head->extra_len - state->length;
++ state->head->extra != Z_NULL &&
++ len < state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork at madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a7289749..2a3c4fe98 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/zlib.git/commitdiff/39d59a8fd06a147a7e947763302ffaccaf047359
More information about the pld-cvs-commit
mailing list