diff options
Diffstat (limited to 'meta/recipes-devtools/rsync/files')
4 files changed, 389 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch new file mode 100644 index 0000000000..7581887790 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2016-9840.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Wed, 21 Sep 2016 23:35:50 -0700 | ||
4 | Subject: [PATCH] Remove offset pointer optimization in inftrees.c. | ||
5 | |||
6 | inftrees.c was subtracting an offset from a pointer to an array, | ||
7 | in order to provide a pointer that allowed indexing starting at | ||
8 | the offset. This is not compliant with the C standard, for which | ||
9 | the behavior of a pointer decremented before its allocated memory | ||
10 | is undefined. Per the recommendation of a security audit of the | ||
11 | zlib code by Trail of Bits and TrustInSoft, in support of the | ||
12 | Mozilla Foundation, this tiny optimization was removed, in order | ||
13 | to avoid the possibility of undefined behavior. | ||
14 | |||
15 | CVE: CVE-2016-9840 | ||
16 | Upstream-Status: Backport | ||
17 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
18 | --- | ||
19 | inftrees.c | 18 ++++++++---------- | ||
20 | 1 file changed, 8 insertions(+), 10 deletions(-) | ||
21 | |||
22 | diff --git a/zlib/inftrees.c b/zlib/inftrees.c | ||
23 | index 22fcd666..0d2670d5 100644 | ||
24 | --- a/zlib/inftrees.c | ||
25 | +++ b/zlib/inftrees.c | ||
26 | @@ -54,7 +54,7 @@ unsigned short FAR *work; | ||
27 | code FAR *next; /* next available space in table */ | ||
28 | const unsigned short FAR *base; /* base value table to use */ | ||
29 | const unsigned short FAR *extra; /* extra bits table to use */ | ||
30 | - int end; /* use base and extra for symbol > end */ | ||
31 | + unsigned match; /* use base and extra for symbol >= match */ | ||
32 | unsigned short count[MAXBITS+1]; /* number of codes of each length */ | ||
33 | unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ | ||
34 | static const unsigned short lbase[31] = { /* Length codes 257..285 base */ | ||
35 | @@ -181,19 +181,17 @@ unsigned short FAR *work; | ||
36 | switch (type) { | ||
37 | case CODES: | ||
38 | base = extra = work; /* dummy value--not used */ | ||
39 | - end = 19; | ||
40 | + match = 20; | ||
41 | break; | ||
42 | case LENS: | ||
43 | base = lbase; | ||
44 | - base -= 257; | ||
45 | extra = lext; | ||
46 | - extra -= 257; | ||
47 | - end = 256; | ||
48 | + match = 257; | ||
49 | break; | ||
50 | default: /* DISTS */ | ||
51 | base = dbase; | ||
52 | extra = dext; | ||
53 | - end = -1; | ||
54 | + match = 0; | ||
55 | } | ||
56 | |||
57 | /* initialize state for loop */ | ||
58 | @@ -216,13 +214,13 @@ unsigned short FAR *work; | ||
59 | for (;;) { | ||
60 | /* create table entry */ | ||
61 | here.bits = (unsigned char)(len - drop); | ||
62 | - if ((int)(work[sym]) < end) { | ||
63 | + if (work[sym] + 1 < match) { | ||
64 | here.op = (unsigned char)0; | ||
65 | here.val = work[sym]; | ||
66 | } | ||
67 | - else if ((int)(work[sym]) > end) { | ||
68 | - here.op = (unsigned char)(extra[work[sym]]); | ||
69 | - here.val = base[work[sym]]; | ||
70 | + else if (work[sym] >= match) { | ||
71 | + here.op = (unsigned char)(extra[work[sym] - match]); | ||
72 | + here.val = base[work[sym] - match]; | ||
73 | } | ||
74 | else { | ||
75 | here.op = (unsigned char)(32 + 64); /* end of block */ | ||
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch new file mode 100644 index 0000000000..3942176de5 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2016-9841.patch | |||
@@ -0,0 +1,228 @@ | |||
1 | From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Wed, 21 Sep 2016 22:25:21 -0700 | ||
4 | Subject: [PATCH] Use post-increment only in inffast.c. | ||
5 | |||
6 | An old inffast.c optimization turns out to not be optimal anymore | ||
7 | with modern compilers, and furthermore was not compliant with the | ||
8 | C standard, for which decrementing a pointer before its allocated | ||
9 | memory is undefined. Per the recommendation of a security audit of | ||
10 | the zlib code by Trail of Bits and TrustInSoft, in support of the | ||
11 | Mozilla Foundation, this "optimization" was removed, in order to | ||
12 | avoid the possibility of undefined behavior. | ||
13 | |||
14 | CVE: CVE-2016-9841 | ||
15 | Upstream-Status: Backport | ||
16 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
17 | --- | ||
18 | zlib/inffast.c | 81 +++++++++++++++++++++---------------------------------- | ||
19 | 1 file changed, 31 insertions(+), 50 deletions(-) | ||
20 | |||
21 | diff --git a/zlib/inffast.c b/zlib/inffast.c | ||
22 | index bda59ceb..f0d163db 100644 | ||
23 | --- a/zlib/inffast.c | ||
24 | +++ b/zlib/inffast.c | ||
25 | @@ -10,25 +10,6 @@ | ||
26 | |||
27 | #ifndef ASMINF | ||
28 | |||
29 | -/* Allow machine dependent optimization for post-increment or pre-increment. | ||
30 | - Based on testing to date, | ||
31 | - Pre-increment preferred for: | ||
32 | - - PowerPC G3 (Adler) | ||
33 | - - MIPS R5000 (Randers-Pehrson) | ||
34 | - Post-increment preferred for: | ||
35 | - - none | ||
36 | - No measurable difference: | ||
37 | - - Pentium III (Anderson) | ||
38 | - - M68060 (Nikl) | ||
39 | - */ | ||
40 | -#ifdef POSTINC | ||
41 | -# define OFF 0 | ||
42 | -# define PUP(a) *(a)++ | ||
43 | -#else | ||
44 | -# define OFF 1 | ||
45 | -# define PUP(a) *++(a) | ||
46 | -#endif | ||
47 | - | ||
48 | /* | ||
49 | Decode literal, length, and distance codes and write out the resulting | ||
50 | literal and match bytes until either not enough input or output is | ||
51 | @@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
52 | |||
53 | /* copy state to local variables */ | ||
54 | state = (struct inflate_state FAR *)strm->state; | ||
55 | - in = strm->next_in - OFF; | ||
56 | + in = strm->next_in; | ||
57 | last = in + (strm->avail_in - 5); | ||
58 | - out = strm->next_out - OFF; | ||
59 | + out = strm->next_out; | ||
60 | beg = out - (start - strm->avail_out); | ||
61 | end = out + (strm->avail_out - 257); | ||
62 | #ifdef INFLATE_STRICT | ||
63 | @@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
64 | input data or output space */ | ||
65 | do { | ||
66 | if (bits < 15) { | ||
67 | - hold += (unsigned long)(PUP(in)) << bits; | ||
68 | + hold += (unsigned long)(*in++) << bits; | ||
69 | bits += 8; | ||
70 | - hold += (unsigned long)(PUP(in)) << bits; | ||
71 | + hold += (unsigned long)(*in++) << bits; | ||
72 | bits += 8; | ||
73 | } | ||
74 | here = lcode[hold & lmask]; | ||
75 | @@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
76 | Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? | ||
77 | "inflate: literal '%c'\n" : | ||
78 | "inflate: literal 0x%02x\n", here.val)); | ||
79 | - PUP(out) = (unsigned char)(here.val); | ||
80 | + *out++ = (unsigned char)(here.val); | ||
81 | } | ||
82 | else if (op & 16) { /* length base */ | ||
83 | len = (unsigned)(here.val); | ||
84 | op &= 15; /* number of extra bits */ | ||
85 | if (op) { | ||
86 | if (bits < op) { | ||
87 | - hold += (unsigned long)(PUP(in)) << bits; | ||
88 | + hold += (unsigned long)(*in++) << bits; | ||
89 | bits += 8; | ||
90 | } | ||
91 | len += (unsigned)hold & ((1U << op) - 1); | ||
92 | @@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
93 | } | ||
94 | Tracevv((stderr, "inflate: length %u\n", len)); | ||
95 | if (bits < 15) { | ||
96 | - hold += (unsigned long)(PUP(in)) << bits; | ||
97 | + hold += (unsigned long)(*in++) << bits; | ||
98 | bits += 8; | ||
99 | - hold += (unsigned long)(PUP(in)) << bits; | ||
100 | + hold += (unsigned long)(*in++) << bits; | ||
101 | bits += 8; | ||
102 | } | ||
103 | here = dcode[hold & dmask]; | ||
104 | @@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
105 | dist = (unsigned)(here.val); | ||
106 | op &= 15; /* number of extra bits */ | ||
107 | if (bits < op) { | ||
108 | - hold += (unsigned long)(PUP(in)) << bits; | ||
109 | + hold += (unsigned long)(*in++) << bits; | ||
110 | bits += 8; | ||
111 | if (bits < op) { | ||
112 | - hold += (unsigned long)(PUP(in)) << bits; | ||
113 | + hold += (unsigned long)(*in++) << bits; | ||
114 | bits += 8; | ||
115 | } | ||
116 | } | ||
117 | @@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
118 | #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR | ||
119 | if (len <= op - whave) { | ||
120 | do { | ||
121 | - PUP(out) = 0; | ||
122 | + *out++ = 0; | ||
123 | } while (--len); | ||
124 | continue; | ||
125 | } | ||
126 | len -= op - whave; | ||
127 | do { | ||
128 | - PUP(out) = 0; | ||
129 | + *out++ = 0; | ||
130 | } while (--op > whave); | ||
131 | if (op == 0) { | ||
132 | from = out - dist; | ||
133 | do { | ||
134 | - PUP(out) = PUP(from); | ||
135 | + *out++ = *from++; | ||
136 | } while (--len); | ||
137 | continue; | ||
138 | } | ||
139 | #endif | ||
140 | } | ||
141 | - from = window - OFF; | ||
142 | + from = window; | ||
143 | if (wnext == 0) { /* very common case */ | ||
144 | from += wsize - op; | ||
145 | if (op < len) { /* some from window */ | ||
146 | len -= op; | ||
147 | do { | ||
148 | - PUP(out) = PUP(from); | ||
149 | + *out++ = *from++; | ||
150 | } while (--op); | ||
151 | from = out - dist; /* rest from output */ | ||
152 | } | ||
153 | @@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
154 | if (op < len) { /* some from end of window */ | ||
155 | len -= op; | ||
156 | do { | ||
157 | - PUP(out) = PUP(from); | ||
158 | + *out++ = *from++; | ||
159 | } while (--op); | ||
160 | - from = window - OFF; | ||
161 | + from = window; | ||
162 | if (wnext < len) { /* some from start of window */ | ||
163 | op = wnext; | ||
164 | len -= op; | ||
165 | do { | ||
166 | - PUP(out) = PUP(from); | ||
167 | + *out++ = *from++; | ||
168 | } while (--op); | ||
169 | from = out - dist; /* rest from output */ | ||
170 | } | ||
171 | @@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
172 | if (op < len) { /* some from window */ | ||
173 | len -= op; | ||
174 | do { | ||
175 | - PUP(out) = PUP(from); | ||
176 | + *out++ = *from++; | ||
177 | } while (--op); | ||
178 | from = out - dist; /* rest from output */ | ||
179 | } | ||
180 | } | ||
181 | while (len > 2) { | ||
182 | - PUP(out) = PUP(from); | ||
183 | - PUP(out) = PUP(from); | ||
184 | - PUP(out) = PUP(from); | ||
185 | + *out++ = *from++; | ||
186 | + *out++ = *from++; | ||
187 | + *out++ = *from++; | ||
188 | len -= 3; | ||
189 | } | ||
190 | if (len) { | ||
191 | - PUP(out) = PUP(from); | ||
192 | + *out++ = *from++; | ||
193 | if (len > 1) | ||
194 | - PUP(out) = PUP(from); | ||
195 | + *out++ = *from++; | ||
196 | } | ||
197 | } | ||
198 | else { | ||
199 | from = out - dist; /* copy direct from output */ | ||
200 | do { /* minimum length is three */ | ||
201 | - PUP(out) = PUP(from); | ||
202 | - PUP(out) = PUP(from); | ||
203 | - PUP(out) = PUP(from); | ||
204 | + *out++ = *from++; | ||
205 | + *out++ = *from++; | ||
206 | + *out++ = *from++; | ||
207 | len -= 3; | ||
208 | } while (len > 2); | ||
209 | if (len) { | ||
210 | - PUP(out) = PUP(from); | ||
211 | + *out++ = *from++; | ||
212 | if (len > 1) | ||
213 | - PUP(out) = PUP(from); | ||
214 | + *out++ = *from++; | ||
215 | } | ||
216 | } | ||
217 | } | ||
218 | @@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ | ||
219 | hold &= (1U << bits) - 1; | ||
220 | |||
221 | /* update state and return */ | ||
222 | - strm->next_in = in + OFF; | ||
223 | - strm->next_out = out + OFF; | ||
224 | + strm->next_in = in; | ||
225 | + strm->next_out = out; | ||
226 | strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); | ||
227 | strm->avail_out = (unsigned)(out < end ? | ||
228 | 257 + (end - out) : 257 - (out - end)); | ||
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch new file mode 100644 index 0000000000..810d8a3fdb --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2016-9842.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Sat, 5 Sep 2015 17:45:55 -0700 | ||
4 | Subject: [PATCH] Avoid shifts of negative values inflateMark(). | ||
5 | |||
6 | The C standard says that bit shifts of negative integers is | ||
7 | undefined. This casts to unsigned values to assure a known | ||
8 | result. | ||
9 | |||
10 | CVE: CVE-2016-9842 | ||
11 | Upstream-Status: Backport | ||
12 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
13 | --- | ||
14 | inflate.c | 5 +++-- | ||
15 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
16 | |||
17 | diff --git a/zlib/inflate.c b/zlib/inflate.c | ||
18 | index 2889e3a0..a7184167 100644 | ||
19 | --- a/zlib/inflate.c | ||
20 | +++ b/zlib/inflate.c | ||
21 | @@ -1506,9 +1506,10 @@ z_streamp strm; | ||
22 | { | ||
23 | struct inflate_state FAR *state; | ||
24 | |||
25 | - if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; | ||
26 | + if (strm == Z_NULL || strm->state == Z_NULL) | ||
27 | + return (long)(((unsigned long)0 - 1) << 16); | ||
28 | state = (struct inflate_state FAR *)strm->state; | ||
29 | - return ((long)(state->back) << 16) + | ||
30 | + return (long)(((unsigned long)((long)state->back)) << 16) + | ||
31 | (state->mode == COPY ? state->length : | ||
32 | (state->mode == MATCH ? state->was - state->length : 0)); | ||
33 | } | ||
diff --git a/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch new file mode 100644 index 0000000000..ea2e42fe76 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2016-9843.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Adler <madler@alumni.caltech.edu> | ||
3 | Date: Wed, 28 Sep 2016 20:20:25 -0700 | ||
4 | Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. | ||
5 | |||
6 | There was a small optimization for PowerPCs to pre-increment a | ||
7 | pointer when accessing a word, instead of post-incrementing. This | ||
8 | required prefacing the loop with a decrement of the pointer, | ||
9 | possibly pointing before the object passed. This is not compliant | ||
10 | with the C standard, for which decrementing a pointer before its | ||
11 | allocated memory is undefined. When tested on a modern PowerPC | ||
12 | with a modern compiler, the optimization no longer has any effect. | ||
13 | Due to all that, and per the recommendation of a security audit of | ||
14 | the zlib code by Trail of Bits and TrustInSoft, in support of the | ||
15 | Mozilla Foundation, this "optimization" was removed, in order to | ||
16 | avoid the possibility of undefined behavior. | ||
17 | |||
18 | CVE: CVE-2016-9843 | ||
19 | Upstream-Status: Backport | ||
20 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
21 | --- | ||
22 | crc32.c | 4 +--- | ||
23 | 1 file changed, 1 insertion(+), 3 deletions(-) | ||
24 | |||
25 | diff --git a/zlib/crc32.c b/zlib/crc32.c | ||
26 | index 979a7190..05733f4e 100644 | ||
27 | --- a/zlib/crc32.c | ||
28 | +++ b/zlib/crc32.c | ||
29 | @@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) | ||
30 | } | ||
31 | |||
32 | /* ========================================================================= */ | ||
33 | -#define DOBIG4 c ^= *++buf4; \ | ||
34 | +#define DOBIG4 c ^= *buf4++; \ | ||
35 | c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ | ||
36 | crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] | ||
37 | #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 | ||
38 | @@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) | ||
39 | } | ||
40 | |||
41 | buf4 = (const z_crc_t FAR *)(const void FAR *)buf; | ||
42 | - buf4--; | ||
43 | while (len >= 32) { | ||
44 | DOBIG32; | ||
45 | len -= 32; | ||
46 | @@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) | ||
47 | DOBIG4; | ||
48 | len -= 4; | ||
49 | } | ||
50 | - buf4++; | ||
51 | buf = (const unsigned char FAR *)buf4; | ||
52 | |||
53 | if (len) do { | ||