diff options
author | George McCollister <george.mccollister@gmail.com> | 2017-11-14 14:01:03 -0600 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-11-21 14:43:55 +0000 |
commit | c3450174c8624e02d6515ec4afb981171aed1817 (patch) | |
tree | 271e3f317c961c08db63f01512c6998c0c34840d /meta | |
parent | 7e357238ef49143ba0a818735553be79972da01f (diff) | |
download | poky-c3450174c8624e02d6515ec4afb981171aed1817.tar.gz |
zlib: Fix CVE-2016-9840
Add backported patch to fix CVE-2016-9840 which was fixed in zlib 1.2.9
https://nvd.nist.gov/vuln/detail/CVE-2016-9840
(From OE-Core rev: c34064cceeb56806ed8ddf3aff73a3971378066c)
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch | 77 | ||||
-rw-r--r-- | meta/recipes-core/zlib/zlib_1.2.8.bb | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch new file mode 100644 index 0000000000..4f0d2c6975 --- /dev/null +++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch | |||
@@ -0,0 +1,77 @@ | |||
1 | commit 6a043145ca6e9c55184013841a67b2fef87e44c0 | ||
2 | Author: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Wed Sep 21 23:35:50 2016 -0700 | ||
4 | |||
5 | Remove offset pointer optimization in inftrees.c. | ||
6 | |||
7 | inftrees.c was subtracting an offset from a pointer to an array, | ||
8 | in order to provide a pointer that allowed indexing starting at | ||
9 | the offset. This is not compliant with the C standard, for which | ||
10 | the behavior of a pointer decremented before its allocated memory | ||
11 | is undefined. Per the recommendation of a security audit of the | ||
12 | zlib code by Trail of Bits and TrustInSoft, in support of the | ||
13 | Mozilla Foundation, this tiny optimization was removed, in order | ||
14 | to avoid the possibility of undefined behavior. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz | ||
18 | https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0 | ||
19 | |||
20 | CVE: CVE-2016-9840 | ||
21 | |||
22 | Signed-off-by: George McCollister <george.mccollister@gmail.com> | ||
23 | |||
24 | diff --git a/inftrees.c b/inftrees.c | ||
25 | index 22fcd66..0d2670d 100644 | ||
26 | --- a/inftrees.c | ||
27 | +++ b/inftrees.c | ||
28 | @@ -54,7 +54,7 @@ unsigned short FAR *work; | ||
29 | code FAR *next; /* next available space in table */ | ||
30 | const unsigned short FAR *base; /* base value table to use */ | ||
31 | const unsigned short FAR *extra; /* extra bits table to use */ | ||
32 | - int end; /* use base and extra for symbol > end */ | ||
33 | + unsigned match; /* use base and extra for symbol >= match */ | ||
34 | unsigned short count[MAXBITS+1]; /* number of codes of each length */ | ||
35 | unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ | ||
36 | static const unsigned short lbase[31] = { /* Length codes 257..285 base */ | ||
37 | @@ -181,19 +181,17 @@ unsigned short FAR *work; | ||
38 | switch (type) { | ||
39 | case CODES: | ||
40 | base = extra = work; /* dummy value--not used */ | ||
41 | - end = 19; | ||
42 | + match = 20; | ||
43 | break; | ||
44 | case LENS: | ||
45 | base = lbase; | ||
46 | - base -= 257; | ||
47 | extra = lext; | ||
48 | - extra -= 257; | ||
49 | - end = 256; | ||
50 | + match = 257; | ||
51 | break; | ||
52 | default: /* DISTS */ | ||
53 | base = dbase; | ||
54 | extra = dext; | ||
55 | - end = -1; | ||
56 | + match = 0; | ||
57 | } | ||
58 | |||
59 | /* initialize state for loop */ | ||
60 | @@ -216,13 +214,13 @@ unsigned short FAR *work; | ||
61 | for (;;) { | ||
62 | /* create table entry */ | ||
63 | here.bits = (unsigned char)(len - drop); | ||
64 | - if ((int)(work[sym]) < end) { | ||
65 | + if (work[sym] + 1 < match) { | ||
66 | here.op = (unsigned char)0; | ||
67 | here.val = work[sym]; | ||
68 | } | ||
69 | - else if ((int)(work[sym]) > end) { | ||
70 | - here.op = (unsigned char)(extra[work[sym]]); | ||
71 | - here.val = base[work[sym]]; | ||
72 | + else if (work[sym] >= match) { | ||
73 | + here.op = (unsigned char)(extra[work[sym] - match]); | ||
74 | + here.val = base[work[sym] - match]; | ||
75 | } | ||
76 | else { | ||
77 | here.op = (unsigned char)(32 + 64); /* end of block */ | ||
diff --git a/meta/recipes-core/zlib/zlib_1.2.8.bb b/meta/recipes-core/zlib/zlib_1.2.8.bb index 913c7033d4..b6a4c687ca 100644 --- a/meta/recipes-core/zlib/zlib_1.2.8.bb +++ b/meta/recipes-core/zlib/zlib_1.2.8.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \ | |||
10 | file://remove.ldconfig.call.patch \ | 10 | file://remove.ldconfig.call.patch \ |
11 | file://Makefile-runtests.patch \ | 11 | file://Makefile-runtests.patch \ |
12 | file://ldflags-tests.patch \ | 12 | file://ldflags-tests.patch \ |
13 | file://CVE-2016-9840.patch \ | ||
13 | file://run-ptest \ | 14 | file://run-ptest \ |
14 | " | 15 | " |
15 | 16 | ||