diff --git a/backport-fix-CVE-2005-1849.patch b/backport-fix-CVE-2005-1849.patch new file mode 100644 index 0000000000000000000000000000000000000000..694cc5053438bc267433e378d9616b6cbdecc8e3 --- /dev/null +++ b/backport-fix-CVE-2005-1849.patch @@ -0,0 +1,29 @@ +From 24a4a6969dd304e3496746732461abfbd2262cf4 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Tue, 30 Aug 2022 18:39:10 +0800 +Subject: [PATCH] test + +Conflict:NA +Reference:https://sources.debian.org/src/zlib/1%3A1.2.2-4.sarge.2/debian/patches/021-enough/ +--- + inftrees.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inftrees.h b/inftrees.h +index 82d365a..5cdcf8f 100644 +--- a/inftrees.h ++++ b/inftrees.h +@@ -40,8 +40,8 @@ typedef struct { + and 154 for distances, the latter actually the result of an + exhaustive search). The true maximum is not known, but the value + below is more than safe. */ +-#define ENOUGH 1440 +-#define MAXD 154 ++#define ENOUGH 2048 ++#define MAXD 592 + + /* Type of code to build for inftable() */ + typedef enum { +-- +2.27.0 + diff --git a/backport-fix-CVE-2016-9840.patch b/backport-fix-CVE-2016-9840.patch new file mode 100644 index 0000000000000000000000000000000000000000..cd9f65a415db1d57a95c9421cabf45afe1361895 --- /dev/null +++ b/backport-fix-CVE-2016-9840.patch @@ -0,0 +1,78 @@ +From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 21 Sep 2016 23:35:50 -0700 +Subject: [PATCH] Remove offset pointer optimization in inftrees.c. + +inftrees.c was subtracting an offset from a pointer to an array, +in order to provide a pointer that allowed indexing starting at +the offset. This is not compliant with the C standard, for which +the behavior of a pointer decremented before its allocated memory +is undefined. Per the recommendation of a security audit of the +zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this tiny optimization was removed, in order +to avoid the possibility of undefined behavior. + +Conflict: Keep the variable name "this" unchanged, and the community + version uses "here" to be compatible with C++ +Reference:https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 +--- + inftrees.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/inftrees.c b/inftrees.c +index 22fcd66..0d2670d 100644 +--- a/inftrees.c ++++ b/inftrees.c +@@ -54,7 +54,7 @@ unsigned short FAR *work; + code FAR *next; /* next available space in table */ + const unsigned short FAR *base; /* base value table to use */ + const unsigned short FAR *extra; /* extra bits table to use */ +- int end; /* use base and extra for symbol > end */ ++ unsigned match; /* use base and extra for symbol >= match */ + unsigned short count[MAXBITS+1]; /* number of codes of each length */ + unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ + static const unsigned short lbase[31] = { /* Length codes 257..285 base */ +@@ -181,19 +181,17 @@ unsigned short FAR *work; + switch (type) { + case CODES: + base = extra = work; /* dummy value--not used */ +- end = 19; ++ match = 20; + break; + case LENS: + base = lbase; +- base -= 257; + extra = lext; +- extra -= 257; +- end = 256; ++ match = 257; + break; + default: /* DISTS */ + base = dbase; + extra = dext; +- end = -1; ++ match = 0; + } + + /* initialize state for loop */ +@@ -216,13 +214,13 @@ unsigned short FAR *work; + for (;;) { + /* create table entry */ + this.bits = (unsigned char)(len - drop); +- if ((int)(work[sym]) < end) { ++ if (work[sym] + 1 < match) { + this.op = (unsigned char)0; + this.val = work[sym]; + } +- else if ((int)(work[sym]) > end) { +- this.op = (unsigned char)(extra[work[sym]]); +- this.val = base[work[sym]]; ++ else if (work[sym] >= match) { ++ this.op = (unsigned char)(extra[work[sym] - match]); ++ this.val = base[work[sym] - match]; + } + else { + this.op = (unsigned char)(32 + 64); /* end of block */ +-- +2.27.0 + diff --git a/backport-fix-CVE-2016-9841.patch b/backport-fix-CVE-2016-9841.patch new file mode 100644 index 0000000000000000000000000000000000000000..213af1489f22b6f7fb7a3b56a809f3e927cd82b9 --- /dev/null +++ b/backport-fix-CVE-2016-9841.patch @@ -0,0 +1,212 @@ +From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 21 Sep 2016 22:25:21 -0700 +Subject: [PATCH] Use post-increment only in inffast.c. + +An old inffast.c optimization turns out to not be optimal anymore +with modern compilers, and furthermore was not compliant with the +C standard, for which decrementing a pointer before its allocated +memory is undefined. Per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. + +Conflict:1.adjust context + 2.delete code contained by macro INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + which is added by the new version +Reference:https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb +--- + inffast.c | 75 +++++++++++++++++++++---------------------------------- + 1 file changed, 28 insertions(+), 47 deletions(-) + +diff --git a/inffast.c b/inffast.c +index bbee92e..1fd6467 100644 +--- a/inffast.c ++++ b/inffast.c +@@ -10,25 +10,6 @@ + + #ifndef ASMINF + +-/* Allow machine dependent optimization for post-increment or pre-increment. +- Based on testing to date, +- Pre-increment preferred for: +- - PowerPC G3 (Adler) +- - MIPS R5000 (Randers-Pehrson) +- Post-increment preferred for: +- - none +- No measurable difference: +- - Pentium III (Anderson) +- - M68060 (Nikl) +- */ +-#ifdef POSTINC +-# define OFF 0 +-# define PUP(a) *(a)++ +-#else +-# define OFF 1 +-# define PUP(a) *++(a) +-#endif +- + /* + Decode literal, length, and distance codes and write out the resulting + literal and match bytes until either not enough input or output is +@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + + /* copy state to local variables */ + state = (struct inflate_state FAR *)strm->state; +- in = strm->next_in - OFF; ++ in = strm->next_in; + last = in + (strm->avail_in - 5); +- out = strm->next_out - OFF; ++ out = strm->next_out; + beg = out - (start - strm->avail_out); + end = out + (strm->avail_out - 257); + #ifdef INFLATE_STRICT +@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + input data or output space */ + do { + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = lcode[hold & lmask]; +@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + Tracevv((stderr, this.val >= 0x20 && this.val < 0x7f ? + "inflate: literal '%c'\n" : + "inflate: literal 0x%02x\n", this.val)); +- PUP(out) = (unsigned char)(this.val); ++ *out++ = (unsigned char)(this.val); + } + else if (op & 16) { /* length base */ + len = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (op) { + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + len += (unsigned)hold & ((1U << op) - 1); +@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + } + Tracevv((stderr, "inflate: length %u\n", len)); + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + this = dcode[hold & dmask]; +@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + dist = (unsigned)(this.val); + op &= 15; /* number of extra bits */ + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + } +@@ -191,13 +172,13 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + state->mode = BAD; + break; + } +- from = window - OFF; ++ from = window; + if (write == 0) { /* very common case */ + from += wsize - op; + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -208,14 +189,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + if (op < len) { /* some from end of window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); +- from = window - OFF; ++ from = window; + if (write < len) { /* some from start of window */ + op = write; + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -226,35 +207,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } + } + while (len > 2) { +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else { + from = out - dist; /* copy direct from output */ + do { /* minimum length is three */ +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } while (len > 2); + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + } +@@ -291,8 +272,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + hold &= (1U << bits) - 1; + + /* update state and return */ +- strm->next_in = in + OFF; +- strm->next_out = out + OFF; ++ strm->next_in = in; ++ strm->next_out = out; + strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); + strm->avail_out = (unsigned)(out < end ? + 257 + (end - out) : 257 - (out - end)); +-- +2.27.0 + diff --git a/backport-fix-CVE-2016-9843.patch b/backport-fix-CVE-2016-9843.patch new file mode 100644 index 0000000000000000000000000000000000000000..e8cc6567d099399998a04054961935dc9a3b733e --- /dev/null +++ b/backport-fix-CVE-2016-9843.patch @@ -0,0 +1,55 @@ +From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 28 Sep 2016 20:20:25 -0700 +Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. + +Conflict:adjust context +Reference:https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811 +--- + crc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const u4 FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { +-- +2.27.0 + diff --git a/backport-fix-CVE-2018-25032.patch b/backport-fix-CVE-2018-25032.patch new file mode 100644 index 0000000000000000000000000000000000000000..f49c43fba591c358f64e134dcde3b387071b9072 --- /dev/null +++ b/backport-fix-CVE-2018-25032.patch @@ -0,0 +1,307 @@ +From 5c44459c3b28a9bd3283aaceab7c615f8020c531 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Tue, 17 Apr 2018 22:09:22 -0700 +Subject: [PATCH] Fix a bug that can crash deflate on some input when using + Z_FIXED. + +This bug was reported by Danilo Ramos of Eideticom, Inc. It has +lain in wait 13 years before being found! The bug was introduced +in zlib 1.2.2.2, with the addition of the Z_FIXED option. That +option forces the use of fixed Huffman codes. For rare inputs with +a large number of distant matches, the pending buffer into which +the compressed data is written can overwrite the distance symbol +table which it overlays. That results in corrupted output due to +invalid distances, and can result in out-of-bound accesses, +crashing the application. + +The fix here combines the distance buffer and literal/length +buffers into a single symbol buffer. Now three bytes of pending +buffer space are opened up for each literal or length/distance +pair consumed, instead of the previous two bytes. This assures +that the pending buffer cannot overwrite the symbol table, since +the maximum fixed code compressed length/distance is 31 bits, and +since there are four bytes of pending space for every three bytes +of symbol space. + +Conflict:1.Delete modification of deflateprime function, which is not available + in the version 1.2.2.f + 2.Delete the modification involving "FLUSH-BLOCK". It relies on the pre + patch and has nothing to do with repairing CVE +Reference:https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 +--- + deflate.c | 64 ++++++++++++++++++++++++++++++++++++++++++------------- + deflate.h | 25 ++++++++++------------ + trees.c | 50 ++++++++++++------------------------------- + 3 files changed, 74 insertions(+), 65 deletions(-) + +diff --git a/deflate.c b/deflate.c +index c46aea6..6d4c582 100644 +--- a/deflate.c ++++ b/deflate.c +@@ -237,11 +237,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, + int rsyncable = 0; + static const char my_version[] = ZLIB_VERSION; + +- ushf *overlay; +- /* We overlay pending_buf and d_buf+l_buf. This works since the average +- * output size for (length,distance) codes is <= 24 bits. +- */ +- + if (version == Z_NULL || version[0] != my_version[0] || + stream_size != sizeof(z_stream)) { + return Z_VERSION_ERROR; +@@ -303,9 +298,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, + + s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */ + +- overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2); +- s->pending_buf = (uchf *) overlay; +- s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L); ++ /* We overlay pending_buf and sym_buf. This works since the average size ++ * for length/distance pairs over any compressed block is assured to be 31 ++ * bits or less. ++ * ++ * Analysis: The longest fixed codes are a length code of 8 bits plus 5 ++ * extra bits, for lengths 131 to 257. The longest fixed distance codes are ++ * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest ++ * possible fixed-codes length/distance pair is then 31 bits total. ++ * ++ * sym_buf starts one-fourth of the way into pending_buf. So there are ++ * three bytes in sym_buf for every four bytes in pending_buf. Each symbol ++ * in sym_buf is three bytes -- two for the distance and one for the ++ * literal/length. As each symbol is consumed, the pointer to the next ++ * sym_buf value to read moves forward three bytes. From that symbol, up to ++ * 31 bits are written to pending_buf. The closest the written pending_buf ++ * bits gets to the next sym_buf symbol to read is just before the last ++ * code is written. At that time, 31*(n-2) bits have been written, just ++ * after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at ++ * 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1 ++ * symbols are written.) The closest the writing gets to what is unread is ++ * then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and ++ * can range from 128 to 32768. ++ * ++ * Therefore, at a minimum, there are 142 bits of space between what is ++ * written and what is read in the overlain buffers, so the symbols cannot ++ * be overwritten by the compressed data. That space is actually 139 bits, ++ * due to the three-bit fixed-code block header. ++ * ++ * That covers the case where either Z_FIXED is specified, forcing fixed ++ * codes, or when the use of fixed codes is chosen, because that choice ++ * results in a smaller compressed block than dynamic codes. That latter ++ * condition then assures that the above analysis also covers all dynamic ++ * blocks. A dynamic-code block will only be chosen to be emitted if it has ++ * fewer bits than a fixed-code block would for the same set of symbols. ++ * Therefore its average symbol length is assured to be less than 31. So ++ * the compressed data for a dynamic block also cannot overwrite the ++ * symbols from which it is being constructed. ++ */ ++ ++ s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4); ++ s->pending_buf_size = (ulg)s->lit_bufsize * 4; + + if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL || + s->pending_buf == Z_NULL) { +@@ -314,8 +347,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, + deflateEnd (strm); + return Z_MEM_ERROR; + } +- s->d_buf = overlay + s->lit_bufsize/sizeof(ush); +- s->l_buf = s->pending_buf + (1+sizeof(ush))*s->lit_bufsize; ++ s->sym_buf = s->pending_buf + s->lit_bufsize; ++ s->sym_end = (s->lit_bufsize - 1) * 3; ++ /* We avoid equality with lit_bufsize*3 because of wraparound at 64K ++ * on 16 bit machines and because stored blocks are restricted to ++ * 64K-1 bytes. ++ */ + + s->level = level; + s->strategy = strategy; +@@ -897,7 +934,6 @@ int ZEXPORT deflateCopy (dest, source) + #else + deflate_state *ds; + deflate_state *ss; +- ushf *overlay; + + + if (source == Z_NULL || dest == Z_NULL || source->state == Z_NULL) { +@@ -917,8 +953,7 @@ int ZEXPORT deflateCopy (dest, source) + ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte)); + ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos)); + ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos)); +- overlay = (ushf *) ZALLOC(dest, ds->lit_bufsize, sizeof(ush)+2); +- ds->pending_buf = (uchf *) overlay; ++ ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4); + + if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL || + ds->pending_buf == Z_NULL) { +@@ -932,8 +967,7 @@ int ZEXPORT deflateCopy (dest, source) + zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size); + + ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf); +- ds->d_buf = overlay + ds->lit_bufsize/sizeof(ush); +- ds->l_buf = ds->pending_buf + (1+sizeof(ush))*ds->lit_bufsize; ++ ds->sym_buf = ds->pending_buf + ds->lit_bufsize; + + ds->l_desc.dyn_tree = ds->dyn_ltree; + ds->d_desc.dyn_tree = ds->dyn_dtree; +diff --git a/deflate.h b/deflate.h +index 35363bb..1ec0e2c 100644 +--- a/deflate.h ++++ b/deflate.h +@@ -212,7 +212,7 @@ typedef struct internal_state { + /* Depth of each subtree used as tie breaker for trees of equal frequency + */ + +- uchf *l_buf; /* buffer for literals or lengths */ ++ uchf *sym_buf; /* buffer for distances and literals/lengths */ + + uInt lit_bufsize; + /* Size of match buffer for literals/lengths. There are 4 reasons for +@@ -234,13 +234,8 @@ typedef struct internal_state { + * - I can't count above 4 + */ + +- uInt last_lit; /* running index in l_buf */ +- +- ushf *d_buf; +- /* Buffer for distances. To simplify the code, d_buf and l_buf have +- * the same number of elements. To use different lengths, an extra flag +- * array would be necessary. +- */ ++ uInt sym_next; /* running index in sym_buf */ ++ uInt sym_end; /* symbol table full when sym_next reaches this */ + + ulg opt_len; /* bit length of current block with optimal trees */ + ulg static_len; /* bit length of current block with static trees */ +@@ -311,20 +306,22 @@ void _tr_stored_block OF((deflate_state *s, charf *buf, ulg stored_len, + + # define _tr_tally_lit(s, c, flush) \ + { uch cc = (c); \ +- s->d_buf[s->last_lit] = 0; \ +- s->l_buf[s->last_lit++] = cc; \ ++ s->sym_buf[s->sym_next++] = 0; \ ++ s->sym_buf[s->sym_next++] = 0; \ ++ s->sym_buf[s->sym_next++] = cc; \ + s->dyn_ltree[cc].Freq++; \ +- flush = (s->last_lit == s->lit_bufsize-1); \ ++ flush = (s->sym_next == s->sym_end); \ + } + # define _tr_tally_dist(s, distance, length, flush) \ + { uch len = (length); \ + ush dist = (distance); \ +- s->d_buf[s->last_lit] = dist; \ +- s->l_buf[s->last_lit++] = len; \ ++ s->sym_buf[s->sym_next++] = dist; \ ++ s->sym_buf[s->sym_next++] = dist >> 8; \ ++ s->sym_buf[s->sym_next++] = len; \ + dist--; \ + s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \ + s->dyn_dtree[d_code(dist)].Freq++; \ +- flush = (s->last_lit == s->lit_bufsize-1); \ ++ flush = (s->sym_next == s->sym_end); \ + } + #else + # define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c) +diff --git a/trees.c b/trees.c +index c160b07..0f2aae7 100644 +--- a/trees.c ++++ b/trees.c +@@ -420,7 +420,7 @@ local void init_block(s) + + s->dyn_ltree[END_BLOCK].Freq = 1; + s->opt_len = s->static_len = 0L; +- s->last_lit = s->matches = 0; ++ s->sym_next = s->matches = 0; + } + + #define SMALLEST 1 +@@ -958,7 +958,7 @@ void _tr_flush_block(s, buf, stored_len, pad, eof) + + Tracev((stderr, "\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u ", + opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len, +- s->last_lit)); ++ s->sym_next / 3)); + + if (static_lenb <= opt_lenb) opt_lenb = static_lenb; + +@@ -1031,8 +1031,9 @@ int _tr_tally (s, dist, lc) + unsigned dist; /* distance of matched string */ + unsigned lc; /* match length-MIN_MATCH or unmatched char (if dist==0) */ + { +- s->d_buf[s->last_lit] = (ush)dist; +- s->l_buf[s->last_lit++] = (uch)lc; ++ s->sym_buf[s->sym_next++] = dist; ++ s->sym_buf[s->sym_next++] = dist >> 8; ++ s->sym_buf[s->sym_next++] = lc; + if (dist == 0) { + /* lc is the unmatched char */ + s->dyn_ltree[lc].Freq++; +@@ -1047,30 +1048,7 @@ int _tr_tally (s, dist, lc) + s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++; + s->dyn_dtree[d_code(dist)].Freq++; + } +- +-#ifdef TRUNCATE_BLOCK +- /* Try to guess if it is profitable to stop the current block here */ +- if ((s->last_lit & 0x1fff) == 0 && s->level > 2) { +- /* Compute an upper bound for the compressed length */ +- ulg out_length = (ulg)s->last_lit*8L; +- ulg in_length = (ulg)((long)s->strstart - s->block_start); +- int dcode; +- for (dcode = 0; dcode < D_CODES; dcode++) { +- out_length += (ulg)s->dyn_dtree[dcode].Freq * +- (5L+extra_dbits[dcode]); +- } +- out_length >>= 3; +- Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ", +- s->last_lit, in_length, out_length, +- 100L - out_length*100L/in_length)); +- if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1; +- } +-#endif +- return (s->last_lit == s->lit_bufsize-1); +- /* We avoid equality with lit_bufsize because of wraparound at 64K +- * on 16 bit machines and because stored blocks are restricted to +- * 64K-1 bytes. +- */ ++ return (s->sym_next == s->sym_end); + } + + /* =========================================================================== +@@ -1083,13 +1061,14 @@ local void compress_block(s, ltree, dtree) + { + unsigned dist; /* distance of matched string */ + int lc; /* match length or unmatched char (if dist == 0) */ +- unsigned lx = 0; /* running index in l_buf */ ++ unsigned sx = 0; /* running index in sym_buf */ + unsigned code; /* the code to send */ + int extra; /* number of extra bits to send */ + +- if (s->last_lit != 0) do { +- dist = s->d_buf[lx]; +- lc = s->l_buf[lx++]; ++ if (s->sym_next != 0) do { ++ dist = s->sym_buf[sx++] & 0xff; ++ dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8; ++ lc = s->sym_buf[sx++]; + if (dist == 0) { + send_code(s, lc, ltree); /* send a literal byte */ + Tracecv(isgraph(lc), (stderr," '%c' ", lc)); +@@ -1114,11 +1093,10 @@ local void compress_block(s, ltree, dtree) + } + } /* literal or match pair ? */ + +- /* Check that the overlay between pending_buf and d_buf+l_buf is ok: */ +- Assert((uInt)(s->pending) < s->lit_bufsize + 2*lx, +- "pendingBuf overflow"); ++ /* Check that the overlay between pending_buf and sym_buf is ok: */ ++ Assert(s->pending < s->lit_bufsize + sx, "pendingBuf overflow"); + +- } while (lx < s->last_lit); ++ } while (sx < s->sym_next); + + send_code(s, END_BLOCK, ltree); + s->last_eob_len = ltree[END_BLOCK].Len; +-- +2.27.0 + diff --git a/backport-fix-CVE-2022-37434-1.patch b/backport-fix-CVE-2022-37434-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..16b9dd88f283f0d4823d7fc5a7165df9ef7ebb06 --- /dev/null +++ b/backport-fix-CVE-2022-37434-1.patch @@ -0,0 +1,38 @@ +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. + +Conflict:NA +Reference:https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7be8c63..7a72897 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.27.0 + diff --git a/backport-fix-CVE-2022-37434-2.patch b/backport-fix-CVE-2022-37434-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..d35267af1a48c1891914a688b73d5bbec33dd87b --- /dev/null +++ b/backport-fix-CVE-2022-37434-2.patch @@ -0,0 +1,35 @@ +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. + +Conflict:NA +Reference:https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a72897..2a3c4fe 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.27.0 + diff --git a/deltarpm.spec b/deltarpm.spec index d12aa497af974486371b134fb1336db2b35544e5..e110f3159b7e2e73f4c0b428b1596136d2a56fc1 100644 --- a/deltarpm.spec +++ b/deltarpm.spec @@ -1,7 +1,7 @@ %bcond_without python3 Name: deltarpm Version: 3.6.3 -Release: 1 +Release: 2 Summary: deltarpm contains the difference between an old and a new version of an RPM package. License: BSD URL: https://github.com/rpm-software-management/deltarpm @@ -11,6 +11,14 @@ BuildRequires: gcc bzip2-devel perl-generators xz-devel rpm-devel popt-devel zl BuildRequires: %{_vendor}-rpm-config BuildRequires: python3-devel +Patch6000: backport-fix-CVE-2005-1849.patch +Patch6001: backport-fix-CVE-2016-9840.patch +Patch6002: backport-fix-CVE-2016-9841.patch +Patch6003: backport-fix-CVE-2016-9843.patch +Patch6004: backport-fix-CVE-2018-25032.patch +Patch6005: backport-fix-CVE-2022-37434-1.patch +Patch6006: backport-fix-CVE-2022-37434-2.patch + %description Delta RPM packages contain the difference between an old and a new version of an RPM package. Applying a delta RPM on an old RPM results @@ -41,8 +49,18 @@ This package contains a tool to sync a file tree with deltarpms. %prep -%autosetup -p1 - +%setup -q -n %{name}-%{version} +#patch for zlib +cd zlib-1.2.2.f-rsyncable +%patch6000 -p1 +%patch6001 -p1 +%patch6002 -p1 +%patch6003 -p1 +%patch6004 -p1 +%patch6005 -p1 +%patch6006 -p1 +cd - +#patch for zlib end %build %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="%__global_ldflags" \ @@ -76,6 +94,20 @@ deltarpms. %{_bindir}/drpmsync %changelog +* Tue Sep 20 2022 zhoushuiqing - 3.6.3-2 +- Type:CVE +- CVE:CVE-2005-1849,CVE-2016-9840,CVE-2016-9841,CVE-2016-9843,CVE-2018-25032,CVE-2022-37434 +- SUG:NA +- DESC:backport patchs fix zlib cves: CVE-2005-1849 CVE-2016-9840 + CVE-2016-9841 CVE-2016-9843 CVE-2018-25032 CVE-2022-37434 + backport-fix-CVE-2005-1849.patch + backport-fix-CVE-2016-9840.patch + backport-fix-CVE-2016-9841.patch + backport-fix-CVE-2016-9843.patch + backport-fix-CVE-2018-25032.patch + backport-fix-CVE-2022-37434-1.patch + backport-fix-CVE-2022-37434-2.patch + * Tue Nov 30 2021 wangjie - 3.6.3-1 - Type:enhancement - ID:NA