- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882:
* zlib-bnc1003580.patch * zlib-bnc1013882.patch CVE-2016-9843 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=35
This commit is contained in:
Tomáš Chvátal
Git OBS Bridge
parent
99f0f688c8
commit
70a41d45b7
@ -1,49 +1,29 @@
|
|||||||
From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
|
From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
|
||||||
From: Mark Adler <madler@alumni.caltech.edu>
|
From: Mark Adler <madler@alumni.caltech.edu>
|
||||||
Date: Wed, 28 Sep 2016 20:20:25 -0700
|
Date: Sat, 5 Sep 2015 17:45:55 -0700
|
||||||
Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
|
Subject: [PATCH] Avoid shifts of negative values inflateMark().
|
||||||
|
|
||||||
There was a small optimization for PowerPCs to pre-increment a
|
The C standard says that bit shifts of negative integers is
|
||||||
pointer when accessing a word, instead of post-incrementing. This
|
undefined. This casts to unsigned values to assure a known
|
||||||
required prefacing the loop with a decrement of the pointer,
|
result.
|
||||||
possibly pointing before the object passed. This is not compliant
|
|
||||||
with the C standard, for which decrementing a pointer before its
|
|
||||||
allocated memory is undefined. When tested on a modern PowerPC
|
|
||||||
with a modern compiler, the optimization no longer has any effect.
|
|
||||||
Due to all that, and per the recommendation of a security audit of
|
|
||||||
the zlib code by Trail of Bits and TrustInSoft, in support of the
|
|
||||||
Mozilla Foundation, this "optimization" was removed, in order to
|
|
||||||
avoid the possibility of undefined behavior.
|
|
||||||
---
|
---
|
||||||
crc32.c | 4 +---
|
inflate.c | 5 +++--
|
||||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/crc32.c b/crc32.c
|
diff --git a/inflate.c b/inflate.c
|
||||||
index 979a719..05733f4 100644
|
index 2889e3a..a718416 100644
|
||||||
--- a/crc32.c
|
--- a/inflate.c
|
||||||
+++ b/crc32.c
|
+++ b/inflate.c
|
||||||
@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
|
@@ -1506,9 +1506,10 @@ z_streamp strm;
|
||||||
|
{
|
||||||
|
struct inflate_state FAR *state;
|
||||||
|
|
||||||
|
- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
|
||||||
|
+ if (strm == Z_NULL || strm->state == Z_NULL)
|
||||||
|
+ return (long)(((unsigned long)0 - 1) << 16);
|
||||||
|
state = (struct inflate_state FAR *)strm->state;
|
||||||
|
- return ((long)(state->back) << 16) +
|
||||||
|
+ return (long)(((unsigned long)((long)state->back)) << 16) +
|
||||||
|
(state->mode == COPY ? state->length :
|
||||||
|
(state->mode == MATCH ? state->was - state->length : 0));
|
||||||
}
|
}
|
||||||
|
|
||||||
/* ========================================================================= */
|
|
||||||
-#define DOBIG4 c ^= *++buf4; \
|
|
||||||
+#define DOBIG4 c ^= *buf4++; \
|
|
||||||
c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
|
|
||||||
crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
|
|
||||||
#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
|
|
||||||
@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
|
|
||||||
}
|
|
||||||
|
|
||||||
buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
|
|
||||||
- buf4--;
|
|
||||||
while (len >= 32) {
|
|
||||||
DOBIG32;
|
|
||||||
len -= 32;
|
|
||||||
@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
|
|
||||||
DOBIG4;
|
|
||||||
len -= 4;
|
|
||||||
}
|
|
||||||
- buf4++;
|
|
||||||
buf = (const unsigned char FAR *)buf4;
|
|
||||||
|
|
||||||
if (len) do {
|
|
||||||
|
|||||||
49
zlib-bnc1013882.patch
Normal file
49
zlib-bnc1013882.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Adler <madler@alumni.caltech.edu>
|
||||||
|
Date: Wed, 28 Sep 2016 20:20:25 -0700
|
||||||
|
Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.
|
||||||
|
|
||||||
|
There was a small optimization for PowerPCs to pre-increment a
|
||||||
|
pointer when accessing a word, instead of post-incrementing. This
|
||||||
|
required prefacing the loop with a decrement of the pointer,
|
||||||
|
possibly pointing before the object passed. This is not compliant
|
||||||
|
with the C standard, for which decrementing a pointer before its
|
||||||
|
allocated memory is undefined. When tested on a modern PowerPC
|
||||||
|
with a modern compiler, the optimization no longer has any effect.
|
||||||
|
Due to all that, and per the recommendation of a security audit of
|
||||||
|
the zlib code by Trail of Bits and TrustInSoft, in support of the
|
||||||
|
Mozilla Foundation, this "optimization" was removed, in order to
|
||||||
|
avoid the possibility of undefined behavior.
|
||||||
|
---
|
||||||
|
crc32.c | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/crc32.c b/crc32.c
|
||||||
|
index 979a719..05733f4 100644
|
||||||
|
--- a/crc32.c
|
||||||
|
+++ b/crc32.c
|
||||||
|
@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ========================================================================= */
|
||||||
|
-#define DOBIG4 c ^= *++buf4; \
|
||||||
|
+#define DOBIG4 c ^= *buf4++; \
|
||||||
|
c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
|
||||||
|
crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
|
||||||
|
#define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
|
||||||
|
@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
|
||||||
|
}
|
||||||
|
|
||||||
|
buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
|
||||||
|
- buf4--;
|
||||||
|
while (len >= 32) {
|
||||||
|
DOBIG32;
|
||||||
|
len -= 32;
|
||||||
|
@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
|
||||||
|
DOBIG4;
|
||||||
|
len -= 4;
|
||||||
|
}
|
||||||
|
- buf4++;
|
||||||
|
buf = (const unsigned char FAR *)buf4;
|
||||||
|
|
||||||
|
if (len) do {
|
||||||
@ -1,11 +1,12 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com
|
Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com
|
||||||
|
|
||||||
- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577:
|
- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882:
|
||||||
* zlib-bnc1003577.patch
|
* zlib-bnc1003577.patch
|
||||||
* zlib-bnc1003579-part2.patch
|
* zlib-bnc1003579-part2.patch
|
||||||
* zlib-bnc1003579.patch
|
* zlib-bnc1003579.patch
|
||||||
* zlib-bnc1003580.patch CVE-2016-9843
|
* zlib-bnc1003580.patch
|
||||||
|
* zlib-bnc1013882.patch CVE-2016-9843
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de
|
Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de
|
||||||
|
|||||||
@ -37,6 +37,7 @@ Patch2: zlib-bnc1003577.patch
|
|||||||
Patch3: zlib-bnc1003579-part2.patch
|
Patch3: zlib-bnc1003579-part2.patch
|
||||||
Patch4: zlib-bnc1003579.patch
|
Patch4: zlib-bnc1003579.patch
|
||||||
Patch5: zlib-bnc1003580.patch
|
Patch5: zlib-bnc1003580.patch
|
||||||
|
Patch6: zlib-bnc1013882.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
@ -124,6 +125,7 @@ developing applications which use minizip.
|
|||||||
%patch3 -p1
|
%patch3 -p1
|
||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
|
%patch6 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export LDFLAGS="-Wl,-z,relro,-z,now"
|
export LDFLAGS="-Wl,-z,relro,-z,now"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user