zlib/CVE-2023-45853.patch

From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001
From: Hans Wennborg <hans@chromium.org>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] minizip: Check length of comment, filename, and extra field,
 in zipOpenNewFileInZip4_64

These are stored in 16-bit fields in the zip file format. Passing longer
values would generate an invalid file.

Passing very long values could also cause the computation of
zi->ci.size_centralheader to overflow, which would cause heap buffer
overflow on subsequent writes to zi->ci.central_header.
---
 contrib/minizip/zip.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Index: zlib-1.3.1/contrib/minizip/zip.c
===================================================================
--- zlib-1.3.1.orig/contrib/minizip/zip.c
+++ zlib-1.3.1/contrib/minizip/zip.c
@@ -1054,6 +1054,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_
     if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
         return ZIP_PARAMERROR;
 
+    // The filename and comment length must fit in 16 bits.
+    if ((filename!=NULL) && (strlen(filename)>0xffff))
+        return ZIP_PARAMERROR;
+    if ((comment!=NULL) && (strlen(comment)>0xffff))
+        return ZIP_PARAMERROR;
+    // The extra field length must fit in 16 bits. If the member also requires
+    // a Zip64 extra block, that will also need to fit within that 16-bit
+    // length, but that will be checked for later.
+    if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+        return ZIP_PARAMERROR;
+
     zi = (zip64_internal*)file;
 
     if (zi->in_opened_file_inzip == 1)
Accepting request 1119078 from home:dspinella:branches:devel:libraries:c_c++ - Update to 1.3: * Building using K&R (pre-ANSI) function definitions is no longer supported. * Fixed a bug in deflateBound() for level 0 and memLevel 9. * Fixed a bug when gzungetc() is used immediately after gzopen(). * Fixed a bug when using gzflush() with a very small buffer. * Fixed a crash when gzsetparams() is attempted for a transparent write. * Fixed test/example.c to work with FORCE_STORED. * Fixed minizip to allow it to open an empty zip file. * Fixed reading disk number start on zip64 files in minizip. * Fixed a logic error in minizip argument processing. - Added patches: * zlib-1.3-IBM-Z-hw-accelerated-deflate-s390x.patch - Refreshed patches: * zlib-1.2.12-add-optimized-slide_hash-for-power.patch * zlib-1.2.12-add-vectorized-longest_match-for-power.patch * zlib-1.2.12-adler32-vector-optimizations-for-power.patch * zlib-1.2.13-optimized-s390.patch * zlib-format.patch * zlib-no-version-check.patch - Removed patches: * bsc1210593.patch * zlib-1.2.13-fix-bug-deflateBound.patch * zlib-1.2.12-s390-vectorize-crc32.patch * zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch * zlib-1.2.12-add-optimized-slide_hash-for-power.patch * zlib-1.2.12-fix-invalid-memory-access-on-ppc-and-ppc64.patch * zlib-1.2.12-add-vectorized-longest_match-for-power.patch * zlib-1.2.12-adler32-vector-optimizations-for-power.patch - Fix CVE-2023-45853, integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6, bsc#1216378 OBS-URL: https://build.opensuse.org/request/show/1119078 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=95 2023-10-19 18:28:40 +02:00			`From 431e66398552effd82d5c0ea982a521821782ebd Mon Sep 17 00:00:00 2001`
			`From: Hans Wennborg <hans@chromium.org>`
			`Date: Fri, 18 Aug 2023 11:05:33 +0200`
			`Subject: [PATCH] minizip: Check length of comment, filename, and extra field,`
			`in zipOpenNewFileInZip4_64`

			`These are stored in 16-bit fields in the zip file format. Passing longer`
			`values would generate an invalid file.`

			`Passing very long values could also cause the computation of`
			`zi->ci.size_centralheader to overflow, which would cause heap buffer`
			`overflow on subsequent writes to zi->ci.central_header.`
			`---`
			`contrib/minizip/zip.c \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

Accepting request 1149966 from home:dspinella:branches:devel:libraries:c_c++ - Update to 1.3.1: * Reject overflows of zip header fields in minizip * Fix bug in inflateSync() for data held in bit buffer * Add LIT_MEM define to use more memory for a small deflate speedup * Fix decision on the emission of Zip64 end records in minizip * Add bounds checking to ERR_MSG() macro, used by zError() * Neutralize zip file traversal attacks in miniunz * Fix a bug in ZLIB_DEBUG compiles in check_match() - Update pacthes: * CVE-2023-45853.patch * zlib-1.3-IBM-Z-hw-accelerated-deflate-s390x.patch OBS-URL: https://build.opensuse.org/request/show/1149966 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=99 2024-02-26 12:03:17 +01:00			`Index: zlib-1.3.1/contrib/minizip/zip.c`
			`===================================================================`
			`--- zlib-1.3.1.orig/contrib/minizip/zip.c`
			`+++ zlib-1.3.1/contrib/minizip/zip.c`
			`@@ -1054,6 +1054,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_`
			`if ((size_extrafield_local>0xffff) \|\| (size_extrafield_global>0xffff))`
			`return ZIP_PARAMERROR;`
Accepting request 1119078 from home:dspinella:branches:devel:libraries:c_c++ - Update to 1.3: * Building using K&R (pre-ANSI) function definitions is no longer supported. * Fixed a bug in deflateBound() for level 0 and memLevel 9. * Fixed a bug when gzungetc() is used immediately after gzopen(). * Fixed a bug when using gzflush() with a very small buffer. * Fixed a crash when gzsetparams() is attempted for a transparent write. * Fixed test/example.c to work with FORCE_STORED. * Fixed minizip to allow it to open an empty zip file. * Fixed reading disk number start on zip64 files in minizip. * Fixed a logic error in minizip argument processing. - Added patches: * zlib-1.3-IBM-Z-hw-accelerated-deflate-s390x.patch - Refreshed patches: * zlib-1.2.12-add-optimized-slide_hash-for-power.patch * zlib-1.2.12-add-vectorized-longest_match-for-power.patch * zlib-1.2.12-adler32-vector-optimizations-for-power.patch * zlib-1.2.13-optimized-s390.patch * zlib-format.patch * zlib-no-version-check.patch - Removed patches: * bsc1210593.patch * zlib-1.2.13-fix-bug-deflateBound.patch * zlib-1.2.12-s390-vectorize-crc32.patch * zlib-1.2.13-IBM-Z-hw-accelerated-deflate-s390x.patch * zlib-1.2.12-add-optimized-slide_hash-for-power.patch * zlib-1.2.12-fix-invalid-memory-access-on-ppc-and-ppc64.patch * zlib-1.2.12-add-vectorized-longest_match-for-power.patch * zlib-1.2.12-adler32-vector-optimizations-for-power.patch - Fix CVE-2023-45853, integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6, bsc#1216378 OBS-URL: https://build.opensuse.org/request/show/1119078 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=95 2023-10-19 18:28:40 +02:00
			`+ // The filename and comment length must fit in 16 bits.`
			`+ if ((filename!=NULL) && (strlen(filename)>0xffff))`
			`+ return ZIP_PARAMERROR;`
			`+ if ((comment!=NULL) && (strlen(comment)>0xffff))`
			`+ return ZIP_PARAMERROR;`
			`+ // The extra field length must fit in 16 bits. If the member also requires`
			`+ // a Zip64 extra block, that will also need to fit within that 16-bit`
			`+ // length, but that will be checked for later.`
			`+ if ((size_extrafield_local>0xffff) \|\| (size_extrafield_global>0xffff))`
			`+ return ZIP_PARAMERROR;`
			`+`
			`zi = (zip64_internal*)file;`

			`if (zi->in_opened_file_inzip == 1)`