diff --git a/zlib-bnc1003580.patch b/zlib-bnc1003580.patch index 065ce69..755e89d 100644 --- a/zlib-bnc1003580.patch +++ b/zlib-bnc1003580.patch @@ -1,49 +1,29 @@ -From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001 From: Mark Adler -Date: Wed, 28 Sep 2016 20:20:25 -0700 -Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. +Date: Sat, 5 Sep 2015 17:45:55 -0700 +Subject: [PATCH] Avoid shifts of negative values inflateMark(). -There was a small optimization for PowerPCs to pre-increment a -pointer when accessing a word, instead of post-incrementing. This -required prefacing the loop with a decrement of the pointer, -possibly pointing before the object passed. This is not compliant -with the C standard, for which decrementing a pointer before its -allocated memory is undefined. When tested on a modern PowerPC -with a modern compiler, the optimization no longer has any effect. -Due to all that, and per the recommendation of a security audit of -the zlib code by Trail of Bits and TrustInSoft, in support of the -Mozilla Foundation, this "optimization" was removed, in order to -avoid the possibility of undefined behavior. +The C standard says that bit shifts of negative integers is +undefined. This casts to unsigned values to assure a known +result. --- - crc32.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/crc32.c b/crc32.c -index 979a719..05733f4 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) +diff --git a/inflate.c b/inflate.c +index 2889e3a..a718416 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -1506,9 +1506,10 @@ z_streamp strm; + { + struct inflate_state FAR *state; + +- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; ++ if (strm == Z_NULL || strm->state == Z_NULL) ++ return (long)(((unsigned long)0 - 1) << 16); + state = (struct inflate_state FAR *)strm->state; +- return ((long)(state->back) << 16) + ++ return (long)(((unsigned long)((long)state->back)) << 16) + + (state->mode == COPY ? state->length : + (state->mode == MATCH ? state->was - state->length : 0)); } - - /* ========================================================================= */ --#define DOBIG4 c ^= *++buf4; \ -+#define DOBIG4 c ^= *buf4++; \ - c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ - crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] - #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 -@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) - } - - buf4 = (const z_crc_t FAR *)(const void FAR *)buf; -- buf4--; - while (len >= 32) { - DOBIG32; - len -= 32; -@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) - DOBIG4; - len -= 4; - } -- buf4++; - buf = (const unsigned char FAR *)buf4; - - if (len) do { diff --git a/zlib-bnc1013882.patch b/zlib-bnc1013882.patch new file mode 100644 index 0000000..065ce69 --- /dev/null +++ b/zlib-bnc1013882.patch @@ -0,0 +1,49 @@ +From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 28 Sep 2016 20:20:25 -0700 +Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. +--- + crc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { diff --git a/zlib.changes b/zlib.changes index 9d10069..1277db4 100644 --- a/zlib.changes +++ b/zlib.changes @@ -1,11 +1,12 @@ ------------------------------------------------------------------- Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com -- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577: +- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882: * zlib-bnc1003577.patch * zlib-bnc1003579-part2.patch * zlib-bnc1003579.patch - * zlib-bnc1003580.patch + * zlib-bnc1003580.patch refreshed + * zlib-bnc1013882.patch CVE-2016-9843 ------------------------------------------------------------------- Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de diff --git a/zlib.spec b/zlib.spec index d658556..c129396 100644 --- a/zlib.spec +++ b/zlib.spec @@ -37,6 +37,7 @@ Patch2: zlib-bnc1003577.patch Patch3: zlib-bnc1003579-part2.patch Patch4: zlib-bnc1003579.patch Patch5: zlib-bnc1003580.patch +Patch6: zlib-bnc1013882.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -124,6 +125,7 @@ developing applications which use minizip. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now"