diff mbox series

zlib: Incorporate fix for CVE-2022-37434

Message ID	b5a5c37b-4856-48eb-77d6-59c9409ec876@ipfire.org
State	Accepted
Commit	30f0ea198dc3406ef21de6df789f22272f97ab0f
Headers	Message-ID: <b5a5c37b-4856-48eb-77d6-59c9409ec876@ipfire.org> Date: Sun, 7 Aug 2022 09:18:45 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] zlib: Incorporate fix for CVE-2022-37434 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org>
Series	zlib: Incorporate fix for CVE-2022-37434 \| zlib: Incorporate fix for CVE-2022-37434

Commit Message

Peter Müller Aug. 7, 2022, 9:18 a.m. UTC

  https://www.cve.org/CVERecord?id=CVE-2022-37434

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/zlib                              |  4 ++++
 src/patches/zlib-CVE-2022-37434.patch | 29 +++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 src/patches/zlib-CVE-2022-37434.patch

Comments

Michael Tremer Aug. 7, 2022, 9:55 a.m. UTC | #1

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 7 Aug 2022, at 10:18, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> https://www.cve.org/CVERecord?id=CVE-2022-37434
> 
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> lfs/zlib                              |  4 ++++
> src/patches/zlib-CVE-2022-37434.patch | 29 +++++++++++++++++++++++++++
> 2 files changed, 33 insertions(+)
> create mode 100644 src/patches/zlib-CVE-2022-37434.patch
> 
> diff --git a/lfs/zlib b/lfs/zlib
> index 19740fb7f..8197c9b45 100644
> --- a/lfs/zlib
> +++ b/lfs/zlib
> @@ -77,6 +77,10 @@ $(subst %,%_BLAKE2,$(objects)) :
> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@$(PREBUILD)
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> +
> +	# Fix for CVE-2022-37434
> +	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch
> +
> 	cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared
> 	cd $(DIR_APP) && make $(MAKETUNING)
> 	cd $(DIR_APP) && make install
> diff --git a/src/patches/zlib-CVE-2022-37434.patch b/src/patches/zlib-CVE-2022-37434.patch
> new file mode 100644
> index 000000000..95e9f173f
> --- /dev/null
> +++ b/src/patches/zlib-CVE-2022-37434.patch
> @@ -0,0 +1,29 @@
> +commit eff308af425b67093bab25f80f1ae950166bece1
> +Author: Mark Adler <fork@madler.net>
> +Date:   Sat Jul 30 15:51:11 2022 -0700
> +
> +    Fix a bug when getting a gzip header extra field with inflate().
> +    
> +    If the extra field was larger than the space the user provided with
> +    inflateGetHeader(), and if multiple calls of inflate() delivered
> +    the extra header data, then there could be a buffer overflow of the
> +    provided space. This commit assures that provided space is not
> +    exceeded.
> +
> +diff --git a/inflate.c b/inflate.c
> +index 7be8c63..7a72897 100644
> +--- a/inflate.c
> ++++ b/inflate.c
> +@@ -763,9 +763,10 @@ int flush;
> +                 copy = state->length;
> +                 if (copy > have) copy = have;
> +                 if (copy) {
> ++                    len = state->head->extra_len - state->length;
> +                     if (state->head != Z_NULL &&
> +-                        state->head->extra != Z_NULL) {
> +-                        len = state->head->extra_len - state->length;
> ++                        state->head->extra != Z_NULL &&
> ++                        len < state->head->extra_max) {
> +                         zmemcpy(state->head->extra + len, next,
> +                                 len + copy > state->head->extra_max ?
> +                                 state->head->extra_max - len : copy);
> -- 
> 2.35.3

diff mbox series

Patch

diff --git a/lfs/zlib b/lfs/zlib
index 19740fb7f..8197c9b45 100644
--- a/lfs/zlib
+++ b/lfs/zlib
@@ -77,6 +77,10 @@  $(subst %,%_BLAKE2,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+
+	# Fix for CVE-2022-37434
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch
+
 	cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
diff --git a/src/patches/zlib-CVE-2022-37434.patch b/src/patches/zlib-CVE-2022-37434.patch
new file mode 100644
index 000000000..95e9f173f
--- /dev/null
+++ b/src/patches/zlib-CVE-2022-37434.patch
@@ -0,0 +1,29 @@ 
+commit eff308af425b67093bab25f80f1ae950166bece1
+Author: Mark Adler <fork@madler.net>
+Date:   Sat Jul 30 15:51:11 2022 -0700
+
+    Fix a bug when getting a gzip header extra field with inflate().
+    
+    If the extra field was larger than the space the user provided with
+    inflateGetHeader(), and if multiple calls of inflate() delivered
+    the extra header data, then there could be a buffer overflow of the
+    provided space. This commit assures that provided space is not
+    exceeded.
+
+diff --git a/inflate.c b/inflate.c
+index 7be8c63..7a72897 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
++                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);