diff --git a/zlib-bnc1003577.patch b/zlib-bnc1003577.patch new file mode 100644 index 0000000..3bc8904 --- /dev/null +++ b/zlib-bnc1003577.patch @@ -0,0 +1,119 @@ +From 3fb251b363866417122fe54a158a1ac5a7837101 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 21 Sep 2016 20:07:37 -0700 +Subject: [PATCH] Remove dummy structure declarations for old buggy compilers. + +While woolly mammoths still roamed the Earth and before Atlantis +sunk into the ocean, there were C compilers that could not handle +forward structure references, e.g. "struct name;". zlib dutifully +provided a work-around for such compilers. That work-around is no +longer needed, and, per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, should be removed since what a compiler will +do with this is technically undefined. From the report: "there is +no telling what interactions the bug could have in the future with +link-time optimizations and type-based alias analyses, both +features that are present (but not default) in clang." +--- + deflate.c | 4 ---- + zconf.h | 5 ----- + zconf.h.cmakein | 5 ----- + zconf.h.in | 5 ----- + zlib.h | 5 ----- + zutil.c | 4 ---- + 6 files changed, 28 deletions(-) + +Index: zlib-1.2.8/deflate.c +=================================================================== +--- zlib-1.2.8.orig/deflate.c ++++ zlib-1.2.8/deflate.c +@@ -151,10 +151,6 @@ local const config configuration_table[1 + #define EQUAL 0 + /* result of memcmp for equal strings */ + +-#ifndef NO_DUMMY_DECL +-struct static_tree_desc_s {int dummy;}; /* for buggy compilers */ +-#endif +- + /* rank Z_BLOCK between Z_NO_FLUSH and Z_PARTIAL_FLUSH */ + #define RANK(f) (((f) << 1) - ((f) > 4 ? 9 : 0)) + +Index: zlib-1.2.8/zconf.h +=================================================================== +--- zlib-1.2.8.orig/zconf.h ++++ zlib-1.2.8/zconf.h +@@ -224,11 +224,6 @@ + # define z_const + #endif + +-/* Some Mac compilers merge all .h files incorrectly: */ +-#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__) +-# define NO_DUMMY_DECL +-#endif +- + /* Maximum value for memLevel in deflateInit2 */ + #ifndef MAX_MEM_LEVEL + # ifdef MAXSEG_64K +Index: zlib-1.2.8/zconf.h.cmakein +=================================================================== +--- zlib-1.2.8.orig/zconf.h.cmakein ++++ zlib-1.2.8/zconf.h.cmakein +@@ -226,11 +226,6 @@ + # define z_const + #endif + +-/* Some Mac compilers merge all .h files incorrectly: */ +-#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__) +-# define NO_DUMMY_DECL +-#endif +- + /* Maximum value for memLevel in deflateInit2 */ + #ifndef MAX_MEM_LEVEL + # ifdef MAXSEG_64K +Index: zlib-1.2.8/zconf.h.in +=================================================================== +--- zlib-1.2.8.orig/zconf.h.in ++++ zlib-1.2.8/zconf.h.in +@@ -224,11 +224,6 @@ + # define z_const + #endif + +-/* Some Mac compilers merge all .h files incorrectly: */ +-#if defined(__MWERKS__)||defined(applec)||defined(THINK_C)||defined(__SC__) +-# define NO_DUMMY_DECL +-#endif +- + /* Maximum value for memLevel in deflateInit2 */ + #ifndef MAX_MEM_LEVEL + # ifdef MAXSEG_64K +Index: zlib-1.2.8/zlib.h +=================================================================== +--- zlib-1.2.8.orig/zlib.h ++++ zlib-1.2.8/zlib.h +@@ -1741,11 +1741,6 @@ ZEXTERN int ZEXPORT gzgetc_ OF((gzFile f + + #endif /* !Z_SOLO */ + +-/* hack for buggy compilers */ +-#if !defined(ZUTIL_H) && !defined(NO_DUMMY_DECL) +- struct internal_state {int dummy;}; +-#endif +- + /* undocumented functions */ + ZEXTERN const char * ZEXPORT zError OF((int)); + ZEXTERN int ZEXPORT inflateSyncPoint OF((z_streamp)); +Index: zlib-1.2.8/zutil.c +=================================================================== +--- zlib-1.2.8.orig/zutil.c ++++ zlib-1.2.8/zutil.c +@@ -10,10 +10,6 @@ + # include "gzguts.h" + #endif + +-#ifndef NO_DUMMY_DECL +-struct internal_state {int dummy;}; /* for buggy compilers */ +-#endif +- + z_const char * const z_errmsg[10] = { + "need dictionary", /* Z_NEED_DICT 2 */ + "stream end", /* Z_STREAM_END 1 */ diff --git a/zlib-bnc1003579-part2.patch b/zlib-bnc1003579-part2.patch new file mode 100644 index 0000000..dea3429 --- /dev/null +++ b/zlib-bnc1003579-part2.patch @@ -0,0 +1,224 @@ +From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 21 Sep 2016 22:25:21 -0700 +Subject: [PATCH] Use post-increment only in inffast.c. + +An old inffast.c optimization turns out to not be optimal anymore +with modern compilers, and furthermore was not compliant with the +C standard, for which decrementing a pointer before its allocated +memory is undefined. Per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. +--- + inffast.c | 81 ++++++++++++++++++++++++--------------------------------------- + 1 file changed, 31 insertions(+), 50 deletions(-) + +diff --git a/inffast.c b/inffast.c +index bda59ce..f0d163d 100644 +--- a/inffast.c ++++ b/inffast.c +@@ -10,25 +10,6 @@ + + #ifndef ASMINF + +-/* Allow machine dependent optimization for post-increment or pre-increment. +- Based on testing to date, +- Pre-increment preferred for: +- - PowerPC G3 (Adler) +- - MIPS R5000 (Randers-Pehrson) +- Post-increment preferred for: +- - none +- No measurable difference: +- - Pentium III (Anderson) +- - M68060 (Nikl) +- */ +-#ifdef POSTINC +-# define OFF 0 +-# define PUP(a) *(a)++ +-#else +-# define OFF 1 +-# define PUP(a) *++(a) +-#endif +- + /* + Decode literal, length, and distance codes and write out the resulting + literal and match bytes until either not enough input or output is +@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + + /* copy state to local variables */ + state = (struct inflate_state FAR *)strm->state; +- in = strm->next_in - OFF; ++ in = strm->next_in; + last = in + (strm->avail_in - 5); +- out = strm->next_out - OFF; ++ out = strm->next_out; + beg = out - (start - strm->avail_out); + end = out + (strm->avail_out - 257); + #ifdef INFLATE_STRICT +@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + input data or output space */ + do { + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + here = lcode[hold & lmask]; +@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ? + "inflate: literal '%c'\n" : + "inflate: literal 0x%02x\n", here.val)); +- PUP(out) = (unsigned char)(here.val); ++ *out++ = (unsigned char)(here.val); + } + else if (op & 16) { /* length base */ + len = (unsigned)(here.val); + op &= 15; /* number of extra bits */ + if (op) { + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + len += (unsigned)hold & ((1U << op) - 1); +@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + } + Tracevv((stderr, "inflate: length %u\n", len)); + if (bits < 15) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + here = dcode[hold & dmask]; +@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + dist = (unsigned)(here.val); + op &= 15; /* number of extra bits */ + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + if (bits < op) { +- hold += (unsigned long)(PUP(in)) << bits; ++ hold += (unsigned long)(*in++) << bits; + bits += 8; + } + } +@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + if (len <= op - whave) { + do { +- PUP(out) = 0; ++ *out++ = 0; + } while (--len); + continue; + } + len -= op - whave; + do { +- PUP(out) = 0; ++ *out++ = 0; + } while (--op > whave); + if (op == 0) { + from = out - dist; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--len); + continue; + } + #endif + } +- from = window - OFF; ++ from = window; + if (wnext == 0) { /* very common case */ + from += wsize - op; + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + if (op < len) { /* some from end of window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); +- from = window - OFF; ++ from = window; + if (wnext < len) { /* some from start of window */ + op = wnext; + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } +@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + if (op < len) { /* some from window */ + len -= op; + do { +- PUP(out) = PUP(from); ++ *out++ = *from++; + } while (--op); + from = out - dist; /* rest from output */ + } + } + while (len > 2) { +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + else { + from = out - dist; /* copy direct from output */ + do { /* minimum length is three */ +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); +- PUP(out) = PUP(from); ++ *out++ = *from++; ++ *out++ = *from++; ++ *out++ = *from++; + len -= 3; + } while (len > 2); + if (len) { +- PUP(out) = PUP(from); ++ *out++ = *from++; + if (len > 1) +- PUP(out) = PUP(from); ++ *out++ = *from++; + } + } + } +@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ + hold &= (1U << bits) - 1; + + /* update state and return */ +- strm->next_in = in + OFF; +- strm->next_out = out + OFF; ++ strm->next_in = in; ++ strm->next_out = out; + strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last)); + strm->avail_out = (unsigned)(out < end ? + 257 + (end - out) : 257 - (out - end)); diff --git a/zlib-bnc1003579.patch b/zlib-bnc1003579.patch new file mode 100644 index 0000000..4cbd8dd --- /dev/null +++ b/zlib-bnc1003579.patch @@ -0,0 +1,71 @@ +From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 21 Sep 2016 23:35:50 -0700 +Subject: [PATCH] Remove offset pointer optimization in inftrees.c. + +inftrees.c was subtracting an offset from a pointer to an array, +in order to provide a pointer that allowed indexing starting at +the offset. This is not compliant with the C standard, for which +the behavior of a pointer decremented before its allocated memory +is undefined. Per the recommendation of a security audit of the +zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this tiny optimization was removed, in order +to avoid the possibility of undefined behavior. +--- + inftrees.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/inftrees.c b/inftrees.c +index 22fcd66..0d2670d 100644 +--- a/inftrees.c ++++ b/inftrees.c +@@ -54,7 +54,7 @@ unsigned short FAR *work; + code FAR *next; /* next available space in table */ + const unsigned short FAR *base; /* base value table to use */ + const unsigned short FAR *extra; /* extra bits table to use */ +- int end; /* use base and extra for symbol > end */ ++ unsigned match; /* use base and extra for symbol >= match */ + unsigned short count[MAXBITS+1]; /* number of codes of each length */ + unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ + static const unsigned short lbase[31] = { /* Length codes 257..285 base */ +@@ -181,19 +181,17 @@ unsigned short FAR *work; + switch (type) { + case CODES: + base = extra = work; /* dummy value--not used */ +- end = 19; ++ match = 20; + break; + case LENS: + base = lbase; +- base -= 257; + extra = lext; +- extra -= 257; +- end = 256; ++ match = 257; + break; + default: /* DISTS */ + base = dbase; + extra = dext; +- end = -1; ++ match = 0; + } + + /* initialize state for loop */ +@@ -216,13 +214,13 @@ unsigned short FAR *work; + for (;;) { + /* create table entry */ + here.bits = (unsigned char)(len - drop); +- if ((int)(work[sym]) < end) { ++ if (work[sym] + 1 < match) { + here.op = (unsigned char)0; + here.val = work[sym]; + } +- else if ((int)(work[sym]) > end) { +- here.op = (unsigned char)(extra[work[sym]]); +- here.val = base[work[sym]]; ++ else if (work[sym] >= match) { ++ here.op = (unsigned char)(extra[work[sym] - match]); ++ here.val = base[work[sym] - match]; + } + else { + here.op = (unsigned char)(32 + 64); /* end of block */ diff --git a/zlib-bnc1003580.patch b/zlib-bnc1003580.patch new file mode 100644 index 0000000..065ce69 --- /dev/null +++ b/zlib-bnc1003580.patch @@ -0,0 +1,49 @@ +From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 28 Sep 2016 20:20:25 -0700 +Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. +--- + crc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { diff --git a/zlib.changes b/zlib.changes index 039396d..9d10069 100644 --- a/zlib.changes +++ b/zlib.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com + +- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577: + * zlib-bnc1003577.patch + * zlib-bnc1003579-part2.patch + * zlib-bnc1003579.patch + * zlib-bnc1003580.patch + ------------------------------------------------------------------- Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de diff --git a/zlib.spec b/zlib.spec index 67a70d2..d658556 100644 --- a/zlib.spec +++ b/zlib.spec @@ -32,6 +32,11 @@ Source3: zlib-rpmlintrc Patch0: zlib-1.2.7-improve-longest_match-performance.patch #PATCH-FIX-SUSE: compiler check of varguments passed to gzprintf Patch1: zlib-format.patch +# PATCH-FIX-UPSTREAM: security fixes from upstream git +Patch2: zlib-bnc1003577.patch +Patch3: zlib-bnc1003579-part2.patch +Patch4: zlib-bnc1003579.patch +Patch5: zlib-bnc1003580.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -115,6 +120,10 @@ developing applications which use minizip. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now"