zlib: Fix CVE-2026-27171

Pick patch from [1] also mentioned in [2] [1] https://github.com/madler/zlib/issues/904 [2] https://security-tracker.debian.org/tracker/CVE-2026-27171 (From OE-Core rev: cf95e20db688fb155ba0dc7968c816937190234f) Signed-off-by: Bruno VERNAY <bruno.vernay@se.com> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> 2026-03-02 07:54:46 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2026-03-16 10:22:06 +0000
commit: 5a3a16988890dc6f39c9b5aacca49de27d461219 (patch)
tree: 73d98384081719e236bf4b790b91135d80c95310 /meta
parent: e254ea69aa886d6b2963d378b4758c6f4f250ce4 (diff)
download: poky-5a3a16988890dc6f39c9b5aacca49de27d461219.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
new file mode 100644
index 0000000000..e6a8a3eac5
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
@@ -0,0 +1,63 @@
+From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
+From: Mark Adler <git@madler.net>
+Date: Sun, 21 Dec 2025 18:17:56 -0800
+Subject: [PATCH] Check for negative lengths in crc32_combine functions.
+Though zlib.h says that len2 must be non-negative, this avoids the
+possibility of an accidental infinite loop.
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
+CVE: CVE-2026-27171
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ crc32.c | 4 ++++
+ zlib.h  | 4 ++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+diff --git a/crc32.c b/crc32.c
+index 6c38f5c..33d8c79 100644
+--- a/crc32.c
+++ b/crc32.c
+@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
+    if (len2 < 0)
+        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
+    if (len2 < 0)
+        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+diff --git a/zlib.h b/zlib.h
+index 8d4b932..8c7f8ac 100644
+--- a/zlib.h
+++ b/zlib.h
+@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
+    seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
+    calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
+    check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
+-   len2. len2 must be non-negative.
+   len2. len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ /*
+ ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
+ 
+      Return the operator corresponding to length len2, to be used with
+-   crc32_combine_op(). len2 must be non-negative.
+   crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
+-- 
+2.43.0
diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
index 4992f83463..e42578fd7e 100644
--- a/meta/recipes-core/zlib/zlib_1.3.1.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 SRC_URI = "https://zlib.net/${BP}.tar.gz \
           file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
           file://run-ptest \
+           file://CVE-2026-27171.patch \
           "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
author	Hugo SIMELIERE <hsimeliere.opensource@witekio.com>	2026-03-02 07:54:46 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2026-03-16 10:22:06 +0000
commit	5a3a16988890dc6f39c9b5aacca49de27d461219 (patch)
tree	73d98384081719e236bf4b790b91135d80c95310 /meta
parent	e254ea69aa886d6b2963d378b4758c6f4f250ce4 (diff)
download	poky-5a3a16988890dc6f39c9b5aacca49de27d461219.tar.gz

diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch new file mode 100644 index 0000000000..e6a8a3eac5 --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
@@ -0,0 +1,63 @@
		1	From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
		2	From: Mark Adler <git@madler.net>
		3	Date: Sun, 21 Dec 2025 18:17:56 -0800
		4	Subject: [PATCH] Check for negative lengths in crc32_combine functions.
		5
		6	Though zlib.h says that len2 must be non-negative, this avoids the
		7	possibility of an accidental infinite loop.
		8
		9	Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
		10	CVE: CVE-2026-27171
		11
		12	Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
		13	---
		14	crc32.c \| 4 ++++
		15	zlib.h \| 4 ++--
		16	2 files changed, 6 insertions(+), 2 deletions(-)
		17
		18	diff --git a/crc32.c b/crc32.c
		19	index 6c38f5c..33d8c79 100644
		20	--- a/crc32.c
		21	+++ b/crc32.c
		22	@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
		23
		24	/* ========================================================================= */
		25	uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
		26	+ if (len2 < 0)
		27	+ return 0;
		28	#ifdef DYNAMIC_CRC_TABLE
		29	once(&made, make_crc_table);
		30	#endif /* DYNAMIC_CRC_TABLE */
		31	@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
		32
		33	/* ========================================================================= */
		34	uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
		35	+ if (len2 < 0)
		36	+ return 0;
		37	#ifdef DYNAMIC_CRC_TABLE
		38	once(&made, make_crc_table);
		39	#endif /* DYNAMIC_CRC_TABLE */
		40	diff --git a/zlib.h b/zlib.h
		41	index 8d4b932..8c7f8ac 100644
		42	--- a/zlib.h
		43	+++ b/zlib.h
		44	@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
		45	seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
		46	calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32
		47	check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
		48	- len2. len2 must be non-negative.
		49	+ len2. len2 must be non-negative, otherwise zero is returned.
		50	*/
		51
		52	/*
		53	ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
		54
		55	Return the operator corresponding to length len2, to be used with
		56	- crc32_combine_op(). len2 must be non-negative.
		57	+ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
		58	*/
		59
		60	ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
		61	--
		62	2.43.0
		63


diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb index 4992f83463..e42578fd7e 100644 --- a/meta/recipes-core/zlib/zlib_1.3.1.bb +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
10	SRC_URI = "https://zlib.net/${BP}.tar.gz \	10	SRC_URI = "https://zlib.net/${BP}.tar.gz \
11	file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \	11	file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
12	file://run-ptest \	12	file://run-ptest \
		13	file://CVE-2026-27171.patch \
13	"	14	"
14	UPSTREAM_CHECK_URI = "http://zlib.net/"	15	UPSTREAM_CHECK_URI = "http://zlib.net/"
15		16