packages/zlib
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!23 [sync] PR-21: fix CVE-2022-37434

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xiezhipeng1 
Signed-off-by: @xiezhipeng1
This commit is contained in:
openeuler-ci-bot 2022-08-16 09:38:28 +00:00 committed by Gitee
commit 9aaf0f89dd
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 73 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
backport-0001-CVE-2022-37434.patch Normal file
View File

@ -0,0 +1,35 @@
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/inflate.c b/inflate.c
index 2a0ac30..95a38f5 100644
--- a/inflate.c
+++ b/inflate.c
@@ -765,9 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

32
backport-0002-CVE-2022-37434.patch Normal file
View File

@ -0,0 +1,32 @@
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/inflate.c b/inflate.c
index 95a38f5..9c5934e 100644
--- a/inflate.c
+++ b/inflate.c
@@ -765,10 +765,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.27.0

7
zlib.spec
View File

@ -1,6 +1,6 @@
Name: zlib Name: zlib
Version: 1.2.11 Version: 1.2.11
Release: 21 Release: 22
Summary: A lossless data-compression library Summary: A lossless data-compression library
License: zlib and Boost License: zlib and Boost
URL: http://www.zlib.net URL: http://www.zlib.net
@ -21,6 +21,8 @@ Patch6: 0005-Accelerate-Adler32-using-arm64-SVE-instructions.patch
Patch6000: fix-undefined-buffer-detected-by-oss-fuzz.patch Patch6000: fix-undefined-buffer-detected-by-oss-fuzz.patch
Patch6001: backport-0001-CVE-2018-25032.patch Patch6001: backport-0001-CVE-2018-25032.patch
Patch6002: backport-0002-CVE-2018-25032.patch Patch6002: backport-0002-CVE-2018-25032.patch
Patch6003: backport-0001-CVE-2022-37434.patch
Patch6004: backport-0002-CVE-2022-37434.patch
BuildRequires: automake, autoconf, libtool BuildRequires: automake, autoconf, libtool
@ -121,6 +123,9 @@ make test
%{_libdir}/pkgconfig/minizip.pc %{_libdir}/pkgconfig/minizip.pc
%changelog %changelog
* Fri Aug 12 2022 dongyuzhen <dongyuzhen@h-partners.com> - 1.2.11-22
- fix CVE-2022-37434
* Mon Apr 18 2022 tianwei <tianwei12@h-partners.com> - 1.2.11-21 * Mon Apr 18 2022 tianwei <tianwei12@h-partners.com> - 1.2.11-21
- modify patch info for CVE-2018-25032 - modify patch info for CVE-2018-25032