summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2019-07-19 09:31:06 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-19 16:19:14 +0100
commitdb32c9bda315cbfd4afe5df6cb50f9440783f10f (patch)
tree4b9a1de2961ed9b8e6f180e979158c13eb958697
parentf56e1ffb1e0943bf0f1c016255e5a6b09d52ca66 (diff)
downloadpoky-db32c9bda315cbfd4afe5df6cb50f9440783f10f.tar.gz
rsync: fix CVEs for included zlib
rsync includes its own copy of zlib and doesn't recommend linking with the system version [1]. Import CVE fixes that impact zlib version 1.2.8 [2] that is currently used by rsync. [1] https://git.samba.org/rsync.git/?p=rsync.git;a=blob;f=zlib/README.rsync [2] https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8 (From OE-Core rev: a55fbb4cb489853dfb0b4553f6e187c3f3633f48) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9840.patch75
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9841.patch228
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9842.patch33
-rw-r--r--meta/recipes-devtools/rsync/files/CVE-2016-9843.patch53
-rw-r--r--meta/recipes-devtools/rsync/rsync_3.1.3.bb4
5 files changed, 393 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
new file mode 100644
index 0000000000..7581887790
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch
@@ -0,0 +1,75 @@
1From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
2From: Mark Adler <madler@alumni.caltech.edu>
3Date: Wed, 21 Sep 2016 23:35:50 -0700
4Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
5
6inftrees.c was subtracting an offset from a pointer to an array,
7in order to provide a pointer that allowed indexing starting at
8the offset. This is not compliant with the C standard, for which
9the behavior of a pointer decremented before its allocated memory
10is undefined. Per the recommendation of a security audit of the
11zlib code by Trail of Bits and TrustInSoft, in support of the
12Mozilla Foundation, this tiny optimization was removed, in order
13to avoid the possibility of undefined behavior.
14
15CVE: CVE-2016-9840
16Upstream-Status: Backport
17Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
18---
19 inftrees.c | 18 ++++++++----------
20 1 file changed, 8 insertions(+), 10 deletions(-)
21
22diff --git a/zlib/inftrees.c b/zlib/inftrees.c
23index 22fcd666..0d2670d5 100644
24--- a/zlib/inftrees.c
25+++ b/zlib/inftrees.c
26@@ -54,7 +54,7 @@ unsigned short FAR *work;
27 code FAR *next; /* next available space in table */
28 const unsigned short FAR *base; /* base value table to use */
29 const unsigned short FAR *extra; /* extra bits table to use */
30- int end; /* use base and extra for symbol > end */
31+ unsigned match; /* use base and extra for symbol >= match */
32 unsigned short count[MAXBITS+1]; /* number of codes of each length */
33 unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
34 static const unsigned short lbase[31] = { /* Length codes 257..285 base */
35@@ -181,19 +181,17 @@ unsigned short FAR *work;
36 switch (type) {
37 case CODES:
38 base = extra = work; /* dummy value--not used */
39- end = 19;
40+ match = 20;
41 break;
42 case LENS:
43 base = lbase;
44- base -= 257;
45 extra = lext;
46- extra -= 257;
47- end = 256;
48+ match = 257;
49 break;
50 default: /* DISTS */
51 base = dbase;
52 extra = dext;
53- end = -1;
54+ match = 0;
55 }
56
57 /* initialize state for loop */
58@@ -216,13 +214,13 @@ unsigned short FAR *work;
59 for (;;) {
60 /* create table entry */
61 here.bits = (unsigned char)(len - drop);
62- if ((int)(work[sym]) < end) {
63+ if (work[sym] + 1 < match) {
64 here.op = (unsigned char)0;
65 here.val = work[sym];
66 }
67- else if ((int)(work[sym]) > end) {
68- here.op = (unsigned char)(extra[work[sym]]);
69- here.val = base[work[sym]];
70+ else if (work[sym] >= match) {
71+ here.op = (unsigned char)(extra[work[sym] - match]);
72+ here.val = base[work[sym] - match];
73 }
74 else {
75 here.op = (unsigned char)(32 + 64); /* end of block */
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
new file mode 100644
index 0000000000..3942176de5
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch
@@ -0,0 +1,228 @@
1From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
2From: Mark Adler <madler@alumni.caltech.edu>
3Date: Wed, 21 Sep 2016 22:25:21 -0700
4Subject: [PATCH] Use post-increment only in inffast.c.
5
6An old inffast.c optimization turns out to not be optimal anymore
7with modern compilers, and furthermore was not compliant with the
8C standard, for which decrementing a pointer before its allocated
9memory is undefined. Per the recommendation of a security audit of
10the zlib code by Trail of Bits and TrustInSoft, in support of the
11Mozilla Foundation, this "optimization" was removed, in order to
12avoid the possibility of undefined behavior.
13
14CVE: CVE-2016-9841
15Upstream-Status: Backport
16Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
17---
18 zlib/inffast.c | 81 +++++++++++++++++++++----------------------------------
19 1 file changed, 31 insertions(+), 50 deletions(-)
20
21diff --git a/zlib/inffast.c b/zlib/inffast.c
22index bda59ceb..f0d163db 100644
23--- a/zlib/inffast.c
24+++ b/zlib/inffast.c
25@@ -10,25 +10,6 @@
26
27 #ifndef ASMINF
28
29-/* Allow machine dependent optimization for post-increment or pre-increment.
30- Based on testing to date,
31- Pre-increment preferred for:
32- - PowerPC G3 (Adler)
33- - MIPS R5000 (Randers-Pehrson)
34- Post-increment preferred for:
35- - none
36- No measurable difference:
37- - Pentium III (Anderson)
38- - M68060 (Nikl)
39- */
40-#ifdef POSTINC
41-# define OFF 0
42-# define PUP(a) *(a)++
43-#else
44-# define OFF 1
45-# define PUP(a) *++(a)
46-#endif
47-
48 /*
49 Decode literal, length, and distance codes and write out the resulting
50 literal and match bytes until either not enough input or output is
51@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
52
53 /* copy state to local variables */
54 state = (struct inflate_state FAR *)strm->state;
55- in = strm->next_in - OFF;
56+ in = strm->next_in;
57 last = in + (strm->avail_in - 5);
58- out = strm->next_out - OFF;
59+ out = strm->next_out;
60 beg = out - (start - strm->avail_out);
61 end = out + (strm->avail_out - 257);
62 #ifdef INFLATE_STRICT
63@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
64 input data or output space */
65 do {
66 if (bits < 15) {
67- hold += (unsigned long)(PUP(in)) << bits;
68+ hold += (unsigned long)(*in++) << bits;
69 bits += 8;
70- hold += (unsigned long)(PUP(in)) << bits;
71+ hold += (unsigned long)(*in++) << bits;
72 bits += 8;
73 }
74 here = lcode[hold & lmask];
75@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
76 Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
77 "inflate: literal '%c'\n" :
78 "inflate: literal 0x%02x\n", here.val));
79- PUP(out) = (unsigned char)(here.val);
80+ *out++ = (unsigned char)(here.val);
81 }
82 else if (op & 16) { /* length base */
83 len = (unsigned)(here.val);
84 op &= 15; /* number of extra bits */
85 if (op) {
86 if (bits < op) {
87- hold += (unsigned long)(PUP(in)) << bits;
88+ hold += (unsigned long)(*in++) << bits;
89 bits += 8;
90 }
91 len += (unsigned)hold & ((1U << op) - 1);
92@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
93 }
94 Tracevv((stderr, "inflate: length %u\n", len));
95 if (bits < 15) {
96- hold += (unsigned long)(PUP(in)) << bits;
97+ hold += (unsigned long)(*in++) << bits;
98 bits += 8;
99- hold += (unsigned long)(PUP(in)) << bits;
100+ hold += (unsigned long)(*in++) << bits;
101 bits += 8;
102 }
103 here = dcode[hold & dmask];
104@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
105 dist = (unsigned)(here.val);
106 op &= 15; /* number of extra bits */
107 if (bits < op) {
108- hold += (unsigned long)(PUP(in)) << bits;
109+ hold += (unsigned long)(*in++) << bits;
110 bits += 8;
111 if (bits < op) {
112- hold += (unsigned long)(PUP(in)) << bits;
113+ hold += (unsigned long)(*in++) << bits;
114 bits += 8;
115 }
116 }
117@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
118 #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
119 if (len <= op - whave) {
120 do {
121- PUP(out) = 0;
122+ *out++ = 0;
123 } while (--len);
124 continue;
125 }
126 len -= op - whave;
127 do {
128- PUP(out) = 0;
129+ *out++ = 0;
130 } while (--op > whave);
131 if (op == 0) {
132 from = out - dist;
133 do {
134- PUP(out) = PUP(from);
135+ *out++ = *from++;
136 } while (--len);
137 continue;
138 }
139 #endif
140 }
141- from = window - OFF;
142+ from = window;
143 if (wnext == 0) { /* very common case */
144 from += wsize - op;
145 if (op < len) { /* some from window */
146 len -= op;
147 do {
148- PUP(out) = PUP(from);
149+ *out++ = *from++;
150 } while (--op);
151 from = out - dist; /* rest from output */
152 }
153@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
154 if (op < len) { /* some from end of window */
155 len -= op;
156 do {
157- PUP(out) = PUP(from);
158+ *out++ = *from++;
159 } while (--op);
160- from = window - OFF;
161+ from = window;
162 if (wnext < len) { /* some from start of window */
163 op = wnext;
164 len -= op;
165 do {
166- PUP(out) = PUP(from);
167+ *out++ = *from++;
168 } while (--op);
169 from = out - dist; /* rest from output */
170 }
171@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
172 if (op < len) { /* some from window */
173 len -= op;
174 do {
175- PUP(out) = PUP(from);
176+ *out++ = *from++;
177 } while (--op);
178 from = out - dist; /* rest from output */
179 }
180 }
181 while (len > 2) {
182- PUP(out) = PUP(from);
183- PUP(out) = PUP(from);
184- PUP(out) = PUP(from);
185+ *out++ = *from++;
186+ *out++ = *from++;
187+ *out++ = *from++;
188 len -= 3;
189 }
190 if (len) {
191- PUP(out) = PUP(from);
192+ *out++ = *from++;
193 if (len > 1)
194- PUP(out) = PUP(from);
195+ *out++ = *from++;
196 }
197 }
198 else {
199 from = out - dist; /* copy direct from output */
200 do { /* minimum length is three */
201- PUP(out) = PUP(from);
202- PUP(out) = PUP(from);
203- PUP(out) = PUP(from);
204+ *out++ = *from++;
205+ *out++ = *from++;
206+ *out++ = *from++;
207 len -= 3;
208 } while (len > 2);
209 if (len) {
210- PUP(out) = PUP(from);
211+ *out++ = *from++;
212 if (len > 1)
213- PUP(out) = PUP(from);
214+ *out++ = *from++;
215 }
216 }
217 }
218@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
219 hold &= (1U << bits) - 1;
220
221 /* update state and return */
222- strm->next_in = in + OFF;
223- strm->next_out = out + OFF;
224+ strm->next_in = in;
225+ strm->next_out = out;
226 strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
227 strm->avail_out = (unsigned)(out < end ?
228 257 + (end - out) : 257 - (out - end));
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
new file mode 100644
index 0000000000..810d8a3fdb
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch
@@ -0,0 +1,33 @@
1From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
2From: Mark Adler <madler@alumni.caltech.edu>
3Date: Sat, 5 Sep 2015 17:45:55 -0700
4Subject: [PATCH] Avoid shifts of negative values inflateMark().
5
6The C standard says that bit shifts of negative integers is
7undefined. This casts to unsigned values to assure a known
8result.
9
10CVE: CVE-2016-9842
11Upstream-Status: Backport
12Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
13---
14 inflate.c | 5 +++--
15 1 file changed, 3 insertions(+), 2 deletions(-)
16
17diff --git a/zlib/inflate.c b/zlib/inflate.c
18index 2889e3a0..a7184167 100644
19--- a/zlib/inflate.c
20+++ b/zlib/inflate.c
21@@ -1506,9 +1506,10 @@ z_streamp strm;
22 {
23 struct inflate_state FAR *state;
24
25- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
26+ if (strm == Z_NULL || strm->state == Z_NULL)
27+ return (long)(((unsigned long)0 - 1) << 16);
28 state = (struct inflate_state FAR *)strm->state;
29- return ((long)(state->back) << 16) +
30+ return (long)(((unsigned long)((long)state->back)) << 16) +
31 (state->mode == COPY ? state->length :
32 (state->mode == MATCH ? state->was - state->length : 0));
33 }
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch
new file mode 100644
index 0000000000..ea2e42fe76
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch
@@ -0,0 +1,53 @@
1From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
2From: Mark Adler <madler@alumni.caltech.edu>
3Date: Wed, 28 Sep 2016 20:20:25 -0700
4Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
5
6There was a small optimization for PowerPCs to pre-increment a
7pointer when accessing a word, instead of post-incrementing. This
8required prefacing the loop with a decrement of the pointer,
9possibly pointing before the object passed. This is not compliant
10with the C standard, for which decrementing a pointer before its
11allocated memory is undefined. When tested on a modern PowerPC
12with a modern compiler, the optimization no longer has any effect.
13Due to all that, and per the recommendation of a security audit of
14the zlib code by Trail of Bits and TrustInSoft, in support of the
15Mozilla Foundation, this "optimization" was removed, in order to
16avoid the possibility of undefined behavior.
17
18CVE: CVE-2016-9843
19Upstream-Status: Backport
20Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
21---
22 crc32.c | 4 +---
23 1 file changed, 1 insertion(+), 3 deletions(-)
24
25diff --git a/zlib/crc32.c b/zlib/crc32.c
26index 979a7190..05733f4e 100644
27--- a/zlib/crc32.c
28+++ b/zlib/crc32.c
29@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
30 }
31
32 /* ========================================================================= */
33-#define DOBIG4 c ^= *++buf4; \
34+#define DOBIG4 c ^= *buf4++; \
35 c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
36 crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
37 #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
38@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
39 }
40
41 buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
42- buf4--;
43 while (len >= 32) {
44 DOBIG32;
45 len -= 32;
46@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
47 DOBIG4;
48 len -= 4;
49 }
50- buf4++;
51 buf = (const unsigned char FAR *)buf4;
52
53 if (len) do {
diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
index 29cb231f36..ffb1d061c0 100644
--- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb
@@ -11,6 +11,10 @@ DEPENDS = "popt"
11SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ 11SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
12 file://rsyncd.conf \ 12 file://rsyncd.conf \
13 file://makefile-no-rebuild.patch \ 13 file://makefile-no-rebuild.patch \
14 file://CVE-2016-9840.patch \
15 file://CVE-2016-9841.patch \
16 file://CVE-2016-9842.patch \
17 file://CVE-2016-9843.patch \
14" 18"
15 19
16SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf" 20SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"