packages/mysql
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-37434

Browse Source
This commit is contained in:
starlet-dx 2023-05-16 15:34:00 +08:00
parent d5fb7dc4e6
commit 16dd64d27f
3 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2022-37434-1.patch Normal file
View File

@ -0,0 +1,35 @@
From a16f5c7b7c5353cda8c8235d9a6765c7fe3c1231 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 16 May 2023 15:15:10 +0800
Subject: [PATCH 1/1] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
extra/zlib/zlib-1.2.12/inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/extra/zlib/zlib-1.2.12/inflate.c b/extra/zlib/zlib-1.2.12/inflate.c
index 7be8c636..7a728974 100644
--- a/extra/zlib/zlib-1.2.12/inflate.c
+++ b/extra/zlib/zlib-1.2.12/inflate.c
@@ -763,9 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.30.0

32
CVE-2022-37434-2.patch Normal file
View File

@ -0,0 +1,32 @@
From 49a8fd61c4f8db9b8e9a50e70114cedc5842178e Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 16 May 2023 15:17:40 +0800
Subject: [PATCH 1/1] Fix extra field processing bug that dereferences NULL
state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
extra/zlib/zlib-1.2.12/inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extra/zlib/zlib-1.2.12/inflate.c b/extra/zlib/zlib-1.2.12/inflate.c
index 7a728974..2a3c4fe9 100644
--- a/extra/zlib/zlib-1.2.12/inflate.c
+++ b/extra/zlib/zlib-1.2.12/inflate.c
@@ -763,10 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.30.0

9
mysql.spec
View File

@ -30,7 +30,7 @@
%global sameevr %{?epoch:%{epoch}:}%{version}-%{release}
Name: mysql
Version: 8.0.30
Release: 2
Release: 3
Summary: MySQL client programs and shared libraries
URL: http://www.mysql.com
License: GPLv2 with exceptions and LGPLv2 and BSD
@ -63,6 +63,8 @@ Patch80: %{pkgnamepatch}-fix-includes-robin-hood.patch
Patch81: disable-moutline-atomics-for-aarch64.patch
Patch115: boost-1.58.0-pool.patch
Patch125: boost-1.57.0-mpl-print.patch
Patch126: CVE-2022-37434-1.patch
Patch127: CVE-2022-37434-2.patch
BuildRequires: cmake gcc-c++ libaio-devel libedit-devel libevent-devel libicu-devel lz4
BuildRequires: lz4-devel mecab-devel bison libzstd-devel
@ -225,6 +227,8 @@ cd ..
%patch75 -p1
%patch80 -p1
%patch81 -p1
%patch126 -p1
%patch127 -p1
pushd boost/boost_$(echo %{boost_bundled_version}| tr . _)
%patch115 -p0
%patch125 -p1
@ -543,6 +547,9 @@ fi
%{_mandir}/man1/mysql_config.1*
%changelog
* Tue May 16 2023 yaoxin <yao_xin001@hoperun.com> - 8.0.30-3
- Fix CVE-2022-37434
* Fri Mar 3 2023 Ge Wang <wangge20@h-partners.com> - 8.0.30-2
- Remove rpath