Compare commits
1 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 817877db32 |
38
CVE-2023-45853.patch
Normal file
38
CVE-2023-45853.patch
Normal file
@@ -0,0 +1,38 @@
|
||||
From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001
|
||||
From: Hans Wennborg <hans@chromium.org>
|
||||
Date: Fri, 18 Aug 2023 11:05:33 +0200
|
||||
Subject: [PATCH] minizip: Check length of comment, filename, and extra field,
|
||||
in zipOpenNewFileInZip4_64
|
||||
|
||||
These are stored in 16-bit fields in the zip file format. Passing longer
|
||||
values would generate an invalid file.
|
||||
|
||||
Passing very long values could also cause the computation of
|
||||
zi->ci.size_centralheader to overflow, which would cause heap buffer
|
||||
overflow on subsequent writes to zi->ci.central_header.
|
||||
---
|
||||
contrib/minizip/zip.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
|
||||
index 3d3d4cadd..0446109b2 100644
|
||||
--- a/contrib/minizip/zip.c
|
||||
+++ b/contrib/minizip/zip.c
|
||||
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
|
||||
return ZIP_PARAMERROR;
|
||||
#endif
|
||||
|
||||
+ // The filename and comment length must fit in 16 bits.
|
||||
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
|
||||
+ return ZIP_PARAMERROR;
|
||||
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
|
||||
+ return ZIP_PARAMERROR;
|
||||
+ // The extra field length must fit in 16 bits. If the member also requires
|
||||
+ // a Zip64 extra block, that will also need to fit within that 16-bit
|
||||
+ // length, but that will be checked for later.
|
||||
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
|
||||
+ return ZIP_PARAMERROR;
|
||||
+
|
||||
zi = (zip64_internal*)file;
|
||||
|
||||
if (zi->in_opened_file_inzip == 1)
|
||||
55
CVE-2026-27171.patch
Normal file
55
CVE-2026-27171.patch
Normal file
@@ -0,0 +1,55 @@
|
||||
From ba829a458576d1ff0f26fc7230c6de816d1f6a77 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Adler <git@madler.net>
|
||||
Date: Sun, 21 Dec 2025 18:17:56 -0800
|
||||
Subject: [PATCH] Check for negative lengths in crc32_combine functions.
|
||||
|
||||
Though zlib.h says that len2 must be non-negative, this avoids the
|
||||
possibility of an accidental infinite loop.
|
||||
---
|
||||
crc32.c | 4 ++++
|
||||
zlib.h | 4 ++--
|
||||
2 files changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: b/crc32.c
|
||||
===================================================================
|
||||
--- a/crc32.c
|
||||
+++ b/crc32.c
|
||||
@@ -1100,6 +1100,8 @@ uLong ZEXPORT crc32_combine64(crc1, crc2
|
||||
uLong crc2;
|
||||
z_off64_t len2;
|
||||
{
|
||||
+ if (len2 < 0)
|
||||
+ return 0;
|
||||
#ifdef DYNAMIC_CRC_TABLE
|
||||
once(&made, make_crc_table);
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
@@ -1119,6 +1121,8 @@ uLong ZEXPORT crc32_combine(crc1, crc2,
|
||||
uLong ZEXPORT crc32_combine_gen64(len2)
|
||||
z_off64_t len2;
|
||||
{
|
||||
+ if (len2 < 0)
|
||||
+ return 0;
|
||||
#ifdef DYNAMIC_CRC_TABLE
|
||||
once(&made, make_crc_table);
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
Index: b/zlib.h
|
||||
===================================================================
|
||||
--- a/zlib.h
|
||||
+++ b/zlib.h
|
||||
@@ -1759,14 +1759,14 @@ ZEXTERN uLong ZEXPORT crc32_combine OF((
|
||||
seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
|
||||
calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32
|
||||
check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
|
||||
- len2.
|
||||
+ len2. len2 must be non-negative, otherwise zero is returned.
|
||||
*/
|
||||
|
||||
/*
|
||||
ZEXTERN uLong ZEXPORT crc32_combine_gen OF((z_off_t len2));
|
||||
|
||||
Return the operator corresponding to length len2, to be used with
|
||||
- crc32_combine_op().
|
||||
+ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
|
||||
*/
|
||||
|
||||
ZEXTERN uLong ZEXPORT crc32_combine_op OF((uLong crc1, uLong crc2, uLong op));
|
||||
11
zlib.changes
11
zlib.changes
@@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 18 22:13:47 UTC 2026 - Antonio Teixeira <antonio.teixeira@suse.com>
|
||||
|
||||
- Fix CVE-2026-27171, infinite loop via the crc32_combine64 and
|
||||
crc32_combine_gen64 functions due to missing checks for negative
|
||||
lengths (bsc#1258392)
|
||||
* CVE-2026-27171.patch
|
||||
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
|
||||
overflow in zipOpenNewFileInZip4_6, bsc#1216378
|
||||
* CVE-2023-45853.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 28 07:39:30 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>
|
||||
|
||||
|
||||
@@ -56,6 +56,11 @@ Patch18: zlib-1.2.12-add-vectorized-longest_match-for-power.patch
|
||||
# PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1210593 bsc#1211005
|
||||
# Fix deflateBound() before deflateInit()
|
||||
Patch19: bsc1210593.patch
|
||||
# PATCh-FIX-SECURITY CVE-2023-45853.patch bsc#1216378 CVE-2023-45853 danilo.spinella@suse.com
|
||||
# integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6
|
||||
Patch20: CVE-2023-45853.patch
|
||||
# PATCH-FIX-UPSTREAM CVE-2026-27171.patch bsc#1258392 CVE-2026-27171 antonio.teixeira@suse.com
|
||||
Patch21: CVE-2026-27171.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
|
||||
Reference in New Issue
Block a user