zlib: Fix CVE-2016-9840

Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9840 (From OE-Core rev: c34064cceeb56806ed8ddf3aff73a3971378066c) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2017-11-14 14:01:03 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:55 +0000
commit: c3450174c8624e02d6515ec4afb981171aed1817 (patch)
tree: 271e3f317c961c08db63f01512c6998c0c34840d
parent: 7e357238ef49143ba0a818735553be79972da01f (diff)
download: poky-c3450174c8624e02d6515ec4afb981171aed1817.tar.gz
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
new file mode 100644
index 0000000000..4f0d2c6975
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
@@ -0,0 +1,77 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date:   Wed Sep 21 23:35:50 2016 -0700
+    Remove offset pointer optimization in inftrees.c.
+    
+    inftrees.c was subtracting an offset from a pointer to an array,
+    in order to provide a pointer that allowed indexing starting at
+    the offset. This is not compliant with the C standard, for which
+    the behavior of a pointer decremented before its allocated memory
+    is undefined. Per the recommendation of a security audit of the
+    zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this tiny optimization was removed, in order
+    to avoid the possibility of undefined behavior.
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
+CVE: CVE-2016-9840
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/inftrees.c
+++ b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
+    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
+        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
+        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
+        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         here.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
+        if (work[sym] + 1 < match) {
+             here.op = (unsigned char)0;
+             here.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            here.op = (unsigned char)(extra[work[sym]]);
+-            here.val = base[work[sym]];
+        else if (work[sym] >= match) {
+            here.op = (unsigned char)(extra[work[sym] - match]);
+            here.val = base[work[sym] - match];
+         }
+         else {
+             here.op = (unsigned char)(32 + 64);         /* end of block */
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index 913c7033d4..b6a4c687ca 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
           file://remove.ldconfig.call.patch \
           file://Makefile-runtests.patch \
           file://ldflags-tests.patch \
+           file://CVE-2016-9840.patch \
           file://run-ptest \
           "
author	George McCollister <george.mccollister@gmail.com>	2017-11-14 14:01:03 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:55 +0000
commit	c3450174c8624e02d6515ec4afb981171aed1817 (patch)
tree	271e3f317c961c08db63f01512c6998c0c34840d
parent	7e357238ef49143ba0a818735553be79972da01f (diff)
download	poky-c3450174c8624e02d6515ec4afb981171aed1817.tar.gz

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch new file mode 100644 index 0000000000..4f0d2c6975 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
@@ -0,0 +1,77 @@
		1	commit 6a043145ca6e9c55184013841a67b2fef87e44c0
		2	Author: Mark Adler <madler@alumni.caltech.edu>
		3	Date: Wed Sep 21 23:35:50 2016 -0700
		4
		5	Remove offset pointer optimization in inftrees.c.
		6
		7	inftrees.c was subtracting an offset from a pointer to an array,
		8	in order to provide a pointer that allowed indexing starting at
		9	the offset. This is not compliant with the C standard, for which
		10	the behavior of a pointer decremented before its allocated memory
		11	is undefined. Per the recommendation of a security audit of the
		12	zlib code by Trail of Bits and TrustInSoft, in support of the
		13	Mozilla Foundation, this tiny optimization was removed, in order
		14	to avoid the possibility of undefined behavior.
		15
		16	Upstream-Status: Backport
		17	http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
		18	https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
		19
		20	CVE: CVE-2016-9840
		21
		22	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		23
		24	diff --git a/inftrees.c b/inftrees.c
		25	index 22fcd66..0d2670d 100644
		26	--- a/inftrees.c
		27	+++ b/inftrees.c
		28	@@ -54,7 +54,7 @@ unsigned short FAR *work;
		29	code FAR next; / next available space in table */
		30	const unsigned short FAR base; / base value table to use */
		31	const unsigned short FAR extra; / extra bits table to use */
		32	- int end; /* use base and extra for symbol > end */
		33	+ unsigned match; /* use base and extra for symbol >= match */
		34	unsigned short count[MAXBITS+1]; /* number of codes of each length */
		35	unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
		36	static const unsigned short lbase[31] = { /* Length codes 257..285 base */
		37	@@ -181,19 +181,17 @@ unsigned short FAR *work;
		38	switch (type) {
		39	case CODES:
		40	base = extra = work; /* dummy value--not used */
		41	- end = 19;
		42	+ match = 20;
		43	break;
		44	case LENS:
		45	base = lbase;
		46	- base -= 257;
		47	extra = lext;
		48	- extra -= 257;
		49	- end = 256;
		50	+ match = 257;
		51	break;
		52	default: /* DISTS */
		53	base = dbase;
		54	extra = dext;
		55	- end = -1;
		56	+ match = 0;
		57	}
		58
		59	/* initialize state for loop */
		60	@@ -216,13 +214,13 @@ unsigned short FAR *work;
		61	for (;;) {
		62	/* create table entry */
		63	here.bits = (unsigned char)(len - drop);
		64	- if ((int)(work[sym]) < end) {
		65	+ if (work[sym] + 1 < match) {
		66	here.op = (unsigned char)0;
		67	here.val = work[sym];
		68	}
		69	- else if ((int)(work[sym]) > end) {
		70	- here.op = (unsigned char)(extra[work[sym]]);
		71	- here.val = base[work[sym]];
		72	+ else if (work[sym] >= match) {
		73	+ here.op = (unsigned char)(extra[work[sym] - match]);
		74	+ here.val = base[work[sym] - match];
		75	}
		76	else {
		77	here.op = (unsigned char)(32 + 64); /* end of block */


diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index 913c7033d4..b6a4c687ca 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
10	file://remove.ldconfig.call.patch \	10	file://remove.ldconfig.call.patch \
11	file://Makefile-runtests.patch \	11	file://Makefile-runtests.patch \
12	file://ldflags-tests.patch \	12	file://ldflags-tests.patch \
		13	file://CVE-2016-9840.patch \
13	file://run-ptest \	14	file://run-ptest \
14	"	15	"
15		16