zlib: Fix CVE-2016-9843

Add backported patch to fix CVE-2016-9843 which was fixed in zlib 1.2.9 https://nvd.nist.gov/vuln/detail/CVE-2016-9843 (From OE-Core rev: 32db742922b6e4127d65abf42905a07eca6a2255) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2017-11-14 14:01:06 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-11-21 14:43:56 +0000
commit: 2cfc0951486b1e1b0b5dccbecac12d4e3826d0c9 (patch)
tree: d4dbafe70dff698a64a140ee250c17bc67e37275 /meta/recipes-core
parent: ee4506739f91828f5d33d306bc994e2e59655c5b (diff)
download: poky-2cfc0951486b1e1b0b5dccbecac12d4e3826d0c9.tar.gz
2 files changed, 56 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
new file mode 100644
index 0000000000..1ff8acf265
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
@@ -0,0 +1,55 @@
+commit d1d577490c15a0c6862473d7576352a9f18ef811
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date:   Wed Sep 28 20:20:25 2016 -0700
+    Avoid pre-decrement of pointer in big-endian CRC calculation.
+    
+    There was a small optimization for PowerPCs to pre-increment a
+    pointer when accessing a word, instead of post-incrementing. This
+    required prefacing the loop with a decrement of the pointer,
+    possibly pointing before the object passed. This is not compliant
+    with the C standard, for which decrementing a pointer before its
+    allocated memory is undefined. When tested on a modern PowerPC
+    with a modern compiler, the optimization no longer has any effect.
+    Due to all that, and per the recommendation of a security audit of
+    the zlib code by Trail of Bits and TrustInSoft, in support of the
+    Mozilla Foundation, this "optimization" was removed, in order to
+    avoid the possibility of undefined behavior.
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
+CVE: CVE-2016-9843
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/crc32.c
+++ b/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+ 
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
+#define DOBIG4 c ^= *buf4++; \
+         c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+             crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+     }
+ 
+     buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+-    buf4--;
+     while (len >= 32) {
+         DOBIG32;
+         len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+         DOBIG4;
+         len -= 4;
+     }
+-    buf4++;
+     buf = (const unsigned char FAR *)buf4;
+ 
+     if (len) do {
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb
index eb38589b6a..338d0f9573 100644
--- a/meta/recipes-core/zlib/zlib_1.2.8.bb
+++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
           file://CVE-2016-9840.patch \
           file://CVE-2016-9841.patch \
           file://CVE-2016-9842.patch \
+           file://CVE-2016-9843.patch \
           file://run-ptest \
           "
author	George McCollister <george.mccollister@gmail.com>	2017-11-14 14:01:06 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-11-21 14:43:56 +0000
commit	2cfc0951486b1e1b0b5dccbecac12d4e3826d0c9 (patch)
tree	d4dbafe70dff698a64a140ee250c17bc67e37275 /meta/recipes-core
parent	ee4506739f91828f5d33d306bc994e2e59655c5b (diff)
download	poky-2cfc0951486b1e1b0b5dccbecac12d4e3826d0c9.tar.gz

diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch new file mode 100644 index 0000000000..1ff8acf265 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9843.patch
@@ -0,0 +1,55 @@
		1	commit d1d577490c15a0c6862473d7576352a9f18ef811
		2	Author: Mark Adler <madler@alumni.caltech.edu>
		3	Date: Wed Sep 28 20:20:25 2016 -0700
		4
		5	Avoid pre-decrement of pointer in big-endian CRC calculation.
		6
		7	There was a small optimization for PowerPCs to pre-increment a
		8	pointer when accessing a word, instead of post-incrementing. This
		9	required prefacing the loop with a decrement of the pointer,
		10	possibly pointing before the object passed. This is not compliant
		11	with the C standard, for which decrementing a pointer before its
		12	allocated memory is undefined. When tested on a modern PowerPC
		13	with a modern compiler, the optimization no longer has any effect.
		14	Due to all that, and per the recommendation of a security audit of
		15	the zlib code by Trail of Bits and TrustInSoft, in support of the
		16	Mozilla Foundation, this "optimization" was removed, in order to
		17	avoid the possibility of undefined behavior.
		18
		19	Upstream-Status: Backport
		20	http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
		21	https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
		22
		23	CVE: CVE-2016-9843
		24
		25	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		26
		27	diff --git a/crc32.c b/crc32.c
		28	index 979a719..05733f4 100644
		29	--- a/crc32.c
		30	+++ b/crc32.c
		31	@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
		32	}
		33
		34	/* ========================================================================= */
		35	-#define DOBIG4 c ^= *++buf4; \
		36	+#define DOBIG4 c ^= *buf4++; \
		37	c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
		38	crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
		39	#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
		40	@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
		41	}
		42
		43	buf4 = (const z_crc_t FAR )(const void FAR )buf;
		44	- buf4--;
		45	while (len >= 32) {
		46	DOBIG32;
		47	len -= 32;
		48	@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
		49	DOBIG4;
		50	len -= 4;
		51	}
		52	- buf4++;
		53	buf = (const unsigned char FAR *)buf4;
		54
		55	if (len) do {


diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index eb38589b6a..338d0f9573 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb
@@ -13,6 +13,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
13	file://CVE-2016-9840.patch \	13	file://CVE-2016-9840.patch \
14	file://CVE-2016-9841.patch \	14	file://CVE-2016-9841.patch \
15	file://CVE-2016-9842.patch \	15	file://CVE-2016-9842.patch \
		16	file://CVE-2016-9843.patch \
16	file://run-ptest \	17	file://run-ptest \
17	"	18	"
18		19