From 6c4d47582ba4f621d80f673545dac3e5c2c4cb998e8d89941042aff145443d62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 12 Dec 2016 10:54:09 +0000 Subject: [PATCH 1/4] - Add fix for bnc#1013882 CVE-2016-9843: * zlib-CVE-2016-9843.patch OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=33 --- zlib-CVE-2016-9843.patch | 49 ++++++++++++++++++++++++++++++++++++++++ zlib.changes | 6 +++++ zlib.spec | 2 ++ 3 files changed, 57 insertions(+) create mode 100644 zlib-CVE-2016-9843.patch diff --git a/zlib-CVE-2016-9843.patch b/zlib-CVE-2016-9843.patch new file mode 100644 index 0000000..065ce69 --- /dev/null +++ b/zlib-CVE-2016-9843.patch @@ -0,0 +1,49 @@ +From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 28 Sep 2016 20:20:25 -0700 +Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. +--- + crc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { diff --git a/zlib.changes b/zlib.changes index 9d10069..92a1834 100644 --- a/zlib.changes +++ b/zlib.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Dec 12 10:53:19 UTC 2016 - tchvatal@suse.com + +- Add fix for bnc#1013882 CVE-2016-9843: + * zlib-CVE-2016-9843.patch + ------------------------------------------------------------------- Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com diff --git a/zlib.spec b/zlib.spec index d658556..bf018c9 100644 --- a/zlib.spec +++ b/zlib.spec @@ -37,6 +37,7 @@ Patch2: zlib-bnc1003577.patch Patch3: zlib-bnc1003579-part2.patch Patch4: zlib-bnc1003579.patch Patch5: zlib-bnc1003580.patch +Patch6: zlib-CVE-2016-9843.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -124,6 +125,7 @@ developing applications which use minizip. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now" From 99f0f688c8cf63823143fe59e857a1af674e500ce055d0d2761910bca58d81b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 12 Dec 2016 10:56:26 +0000 Subject: [PATCH 2/4] * zlib-bnc1003580.patch CVE-2016-9843 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=34 --- zlib-CVE-2016-9843.patch | 49 ---------------------------------------- zlib.changes | 8 +------ zlib.spec | 2 -- 3 files changed, 1 insertion(+), 58 deletions(-) delete mode 100644 zlib-CVE-2016-9843.patch diff --git a/zlib-CVE-2016-9843.patch b/zlib-CVE-2016-9843.patch deleted file mode 100644 index 065ce69..0000000 --- a/zlib-CVE-2016-9843.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 -From: Mark Adler -Date: Wed, 28 Sep 2016 20:20:25 -0700 -Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. - -There was a small optimization for PowerPCs to pre-increment a -pointer when accessing a word, instead of post-incrementing. This -required prefacing the loop with a decrement of the pointer, -possibly pointing before the object passed. This is not compliant -with the C standard, for which decrementing a pointer before its -allocated memory is undefined. When tested on a modern PowerPC -with a modern compiler, the optimization no longer has any effect. -Due to all that, and per the recommendation of a security audit of -the zlib code by Trail of Bits and TrustInSoft, in support of the -Mozilla Foundation, this "optimization" was removed, in order to -avoid the possibility of undefined behavior. ---- - crc32.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/crc32.c b/crc32.c -index 979a719..05733f4 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) - } - - /* ========================================================================= */ --#define DOBIG4 c ^= *++buf4; \ -+#define DOBIG4 c ^= *buf4++; \ - c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ - crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] - #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 -@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) - } - - buf4 = (const z_crc_t FAR *)(const void FAR *)buf; -- buf4--; - while (len >= 32) { - DOBIG32; - len -= 32; -@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) - DOBIG4; - len -= 4; - } -- buf4++; - buf = (const unsigned char FAR *)buf4; - - if (len) do { diff --git a/zlib.changes b/zlib.changes index 92a1834..fc684e3 100644 --- a/zlib.changes +++ b/zlib.changes @@ -1,9 +1,3 @@ -------------------------------------------------------------------- -Mon Dec 12 10:53:19 UTC 2016 - tchvatal@suse.com - -- Add fix for bnc#1013882 CVE-2016-9843: - * zlib-CVE-2016-9843.patch - ------------------------------------------------------------------- Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com @@ -11,7 +5,7 @@ Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com * zlib-bnc1003577.patch * zlib-bnc1003579-part2.patch * zlib-bnc1003579.patch - * zlib-bnc1003580.patch + * zlib-bnc1003580.patch CVE-2016-9843 ------------------------------------------------------------------- Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de diff --git a/zlib.spec b/zlib.spec index bf018c9..d658556 100644 --- a/zlib.spec +++ b/zlib.spec @@ -37,7 +37,6 @@ Patch2: zlib-bnc1003577.patch Patch3: zlib-bnc1003579-part2.patch Patch4: zlib-bnc1003579.patch Patch5: zlib-bnc1003580.patch -Patch6: zlib-CVE-2016-9843.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -125,7 +124,6 @@ developing applications which use minizip. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now" From 70a41d45b75818feaeb4c1553ec560e5ba1c38f1091f72707f436cba5b3106e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 12 Dec 2016 12:15:08 +0000 Subject: [PATCH 3/4] - Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882: * zlib-bnc1003580.patch * zlib-bnc1013882.patch CVE-2016-9843 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=35 --- zlib-bnc1003580.patch | 68 +++++++++++++++---------------------------- zlib-bnc1013882.patch | 49 +++++++++++++++++++++++++++++++ zlib.changes | 5 ++-- zlib.spec | 2 ++ 4 files changed, 78 insertions(+), 46 deletions(-) create mode 100644 zlib-bnc1013882.patch diff --git a/zlib-bnc1003580.patch b/zlib-bnc1003580.patch index 065ce69..755e89d 100644 --- a/zlib-bnc1003580.patch +++ b/zlib-bnc1003580.patch @@ -1,49 +1,29 @@ -From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001 From: Mark Adler -Date: Wed, 28 Sep 2016 20:20:25 -0700 -Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. +Date: Sat, 5 Sep 2015 17:45:55 -0700 +Subject: [PATCH] Avoid shifts of negative values inflateMark(). -There was a small optimization for PowerPCs to pre-increment a -pointer when accessing a word, instead of post-incrementing. This -required prefacing the loop with a decrement of the pointer, -possibly pointing before the object passed. This is not compliant -with the C standard, for which decrementing a pointer before its -allocated memory is undefined. When tested on a modern PowerPC -with a modern compiler, the optimization no longer has any effect. -Due to all that, and per the recommendation of a security audit of -the zlib code by Trail of Bits and TrustInSoft, in support of the -Mozilla Foundation, this "optimization" was removed, in order to -avoid the possibility of undefined behavior. +The C standard says that bit shifts of negative integers is +undefined. This casts to unsigned values to assure a known +result. --- - crc32.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) -diff --git a/crc32.c b/crc32.c -index 979a719..05733f4 100644 ---- a/crc32.c -+++ b/crc32.c -@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) +diff --git a/inflate.c b/inflate.c +index 2889e3a..a718416 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -1506,9 +1506,10 @@ z_streamp strm; + { + struct inflate_state FAR *state; + +- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; ++ if (strm == Z_NULL || strm->state == Z_NULL) ++ return (long)(((unsigned long)0 - 1) << 16); + state = (struct inflate_state FAR *)strm->state; +- return ((long)(state->back) << 16) + ++ return (long)(((unsigned long)((long)state->back)) << 16) + + (state->mode == COPY ? state->length : + (state->mode == MATCH ? state->was - state->length : 0)); } - - /* ========================================================================= */ --#define DOBIG4 c ^= *++buf4; \ -+#define DOBIG4 c ^= *buf4++; \ - c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ - crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] - #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 -@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) - } - - buf4 = (const z_crc_t FAR *)(const void FAR *)buf; -- buf4--; - while (len >= 32) { - DOBIG32; - len -= 32; -@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) - DOBIG4; - len -= 4; - } -- buf4++; - buf = (const unsigned char FAR *)buf4; - - if (len) do { diff --git a/zlib-bnc1013882.patch b/zlib-bnc1013882.patch new file mode 100644 index 0000000..065ce69 --- /dev/null +++ b/zlib-bnc1013882.patch @@ -0,0 +1,49 @@ +From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 28 Sep 2016 20:20:25 -0700 +Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation. + +There was a small optimization for PowerPCs to pre-increment a +pointer when accessing a word, instead of post-incrementing. This +required prefacing the loop with a decrement of the pointer, +possibly pointing before the object passed. This is not compliant +with the C standard, for which decrementing a pointer before its +allocated memory is undefined. When tested on a modern PowerPC +with a modern compiler, the optimization no longer has any effect. +Due to all that, and per the recommendation of a security audit of +the zlib code by Trail of Bits and TrustInSoft, in support of the +Mozilla Foundation, this "optimization" was removed, in order to +avoid the possibility of undefined behavior. +--- + crc32.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { diff --git a/zlib.changes b/zlib.changes index fc684e3..1f2ecfe 100644 --- a/zlib.changes +++ b/zlib.changes @@ -1,11 +1,12 @@ ------------------------------------------------------------------- Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com -- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577: +- Include fixes for bnc#1003580 bnc#1003579 bnc#1003577 bnc#1013882: * zlib-bnc1003577.patch * zlib-bnc1003579-part2.patch * zlib-bnc1003579.patch - * zlib-bnc1003580.patch CVE-2016-9843 + * zlib-bnc1003580.patch + * zlib-bnc1013882.patch CVE-2016-9843 ------------------------------------------------------------------- Thu Sep 24 20:21:46 UTC 2015 - jengelh@inai.de diff --git a/zlib.spec b/zlib.spec index d658556..c129396 100644 --- a/zlib.spec +++ b/zlib.spec @@ -37,6 +37,7 @@ Patch2: zlib-bnc1003577.patch Patch3: zlib-bnc1003579-part2.patch Patch4: zlib-bnc1003579.patch Patch5: zlib-bnc1003580.patch +Patch6: zlib-bnc1013882.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool @@ -124,6 +125,7 @@ developing applications which use minizip. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export LDFLAGS="-Wl,-z,relro,-z,now" From 2f9a1a311f853bf2dd37c3cf28c3ca5d67320aa3e8fe3bed6a7f55158827d338 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 12 Dec 2016 12:16:10 +0000 Subject: [PATCH 4/4] * zlib-bnc1003580.patch refreshed OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zlib?expand=0&rev=36 --- zlib.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zlib.changes b/zlib.changes index 1f2ecfe..1277db4 100644 --- a/zlib.changes +++ b/zlib.changes @@ -5,7 +5,7 @@ Sun Dec 4 12:47:51 UTC 2016 - tchvatal@suse.com * zlib-bnc1003577.patch * zlib-bnc1003579-part2.patch * zlib-bnc1003579.patch - * zlib-bnc1003580.patch + * zlib-bnc1003580.patch refreshed * zlib-bnc1013882.patch CVE-2016-9843 -------------------------------------------------------------------