Accepting request 445412 from devel:libraries:c_c++

- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882:
  * zlib-bnc1003580.patch refreshed
  * zlib-bnc1013882.patch CVE-2016-9843

OBS-URL: https://build.opensuse.org/request/show/445412
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/zlib?expand=0&rev=63
This commit is contained in:
Dominique Leuenberger 2016-12-17 08:45:26 +00:00 committed by Git OBS Bridge
commit 6383c1580f
4 changed files with 78 additions and 46 deletions

View File

@ -1,49 +1,29 @@
From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu> From: Mark Adler <madler@alumni.caltech.edu>
Date: Wed, 28 Sep 2016 20:20:25 -0700 Date: Sat, 5 Sep 2015 17:45:55 -0700
Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. Subject: [PATCH] Avoid shifts of negative values inflateMark().
There was a small optimization for PowerPCs to pre-increment a The C standard says that bit shifts of negative integers is
pointer when accessing a word, instead of post-incrementing. This undefined. This casts to unsigned values to assure a known
required prefacing the loop with a decrement of the pointer, result.
possibly pointing before the object passed. This is not compliant
with the C standard, for which decrementing a pointer before its
allocated memory is undefined. When tested on a modern PowerPC
with a modern compiler, the optimization no longer has any effect.
Due to all that, and per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
--- ---
crc32.c | 4 +--- inflate.c | 5 +++--
1 file changed, 1 insertion(+), 3 deletions(-) 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/crc32.c b/crc32.c diff --git a/inflate.c b/inflate.c
index 979a719..05733f4 100644 index 2889e3a..a718416 100644
--- a/crc32.c --- a/inflate.c
+++ b/crc32.c +++ b/inflate.c
@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) @@ -1506,9 +1506,10 @@ z_streamp strm;
{
struct inflate_state FAR *state;
- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
+ if (strm == Z_NULL || strm->state == Z_NULL)
+ return (long)(((unsigned long)0 - 1) << 16);
state = (struct inflate_state FAR *)strm->state;
- return ((long)(state->back) << 16) +
+ return (long)(((unsigned long)((long)state->back)) << 16) +
(state->mode == COPY ? state->length :
(state->mode == MATCH ? state->was - state->length : 0));
} }
/* ========================================================================= */
-#define DOBIG4 c ^= *++buf4; \
+#define DOBIG4 c ^= *buf4++; \
c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
}
buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
- buf4--;
while (len >= 32) {
DOBIG32;
len -= 32;
@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
DOBIG4;
len -= 4;
}
- buf4++;
buf = (const unsigned char FAR *)buf4;
if (len) do {

49
zlib-bnc1013882.patch Normal file
View File

@ -0,0 +1,49 @@
From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Wed, 28 Sep 2016 20:20:25 -0700
Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
There was a small optimization for PowerPCs to pre-increment a
pointer when accessing a word, instead of post-incrementing. This
required prefacing the loop with a decrement of the pointer,
possibly pointing before the object passed. This is not compliant
with the C standard, for which decrementing a pointer before its
allocated memory is undefined. When tested on a modern PowerPC
with a modern compiler, the optimization no longer has any effect.
Due to all that, and per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
---
crc32.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/crc32.c b/crc32.c
index 979a719..05733f4 100644
--- a/crc32.c
+++ b/crc32.c
@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
}
/* ========================================================================= */
-#define DOBIG4 c ^= *++buf4; \
+#define DOBIG4 c ^= *buf4++; \
c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
}
buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
- buf4--;
while (len >= 32) {
DOBIG32;
len -= 32;
@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
DOBIG4;
len -= 4;
}
- buf4++;
buf = (const unsigned char FAR *)buf4;
if (len) do {

View File

@ -1,11 +1,12 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com
- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577: - Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882:
* zlib-bnc1003577.patch * zlib-bnc1003577.patch
* zlib-bnc1003579-part2.patch * zlib-bnc1003579-part2.patch
* zlib-bnc1003579.patch * zlib-bnc1003579.patch
* zlib-bnc1003580.patch * zlib-bnc1003580.patch refreshed
* zlib-bnc1013882.patch CVE-2016-9843
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de

View File

@ -37,6 +37,7 @@ Patch2: zlib-bnc1003577.patch
Patch3: zlib-bnc1003579-part2.patch Patch3: zlib-bnc1003579-part2.patch
Patch4: zlib-bnc1003579.patch Patch4: zlib-bnc1003579.patch
Patch5: zlib-bnc1003580.patch Patch5: zlib-bnc1003580.patch
Patch6: zlib-bnc1013882.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: libtool BuildRequires: libtool
@ -124,6 +125,7 @@ developing applications which use minizip.
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1
%build %build
export LDFLAGS="-Wl,-z,relro,-z,now" export LDFLAGS="-Wl,-z,relro,-z,now"