From patchwork Sun Aug 7 09:18:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5845 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4M0v0K4j5tz40W2 for ; Sun, 7 Aug 2022 09:18:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4M0v0H4dPmzbV; Sun, 7 Aug 2022 09:18:55 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4M0v0H3sYkz2yVQ; Sun, 7 Aug 2022 09:18:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4M0v0F73yBz2ySj for ; Sun, 7 Aug 2022 09:18:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4M0v0C4FFmz1Q6 for ; Sun, 7 Aug 2022 09:18:51 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1659863932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bNK1IytGkBRFeLr9hLVPKH4qBTmktCZqsloK9w2t9mU=; b=VGgBDiYBExI9cL6HI5VsOMPKVZXCZ+10fO9PUT5fWQNZ25nvjBIreJ10vmN6BFjajtJa7y tOAVKYMsnro7UXAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1659863932; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=bNK1IytGkBRFeLr9hLVPKH4qBTmktCZqsloK9w2t9mU=; b=nXkIDz+6gnSXq6rCLvYx9QVmECNJhOE8VVIWqR2HPIXt2WVeBBAm6XytrudMhHiz9ah9Vg EA89GPcsX1lw/+NvvqZuofFVBxHLm/GAcURi2nHmdY7Gv4U6PdmDPK2xod/Std4F0woFKt kHyfL2nVKkfI/BE9M0k1k67nbegbZLQbHaAubC0M9atqZ6RRRCnd3Fm7iDCGCbmpFa05Gv CCNzUCwVJ1eAAK9FQMgrdXwdcohR/+xQCh0pVdBVTGTBYa6vhDjrCcmz1XG2KOIGkZG8hd UpNWNIpTFp+LcrxRyYE9880Qqkybm4uwIbqdqeYBqb1L/JBSUIN3iV1pF/ir4g== Message-ID: Date: Sun, 7 Aug 2022 09:18:45 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] zlib: Incorporate fix for CVE-2022-37434 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" https://www.cve.org/CVERecord?id=CVE-2022-37434 Signed-off-by: Peter Müller Reviewed-by: Michael Tremer --- lfs/zlib | 4 ++++ src/patches/zlib-CVE-2022-37434.patch | 29 +++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 src/patches/zlib-CVE-2022-37434.patch diff --git a/lfs/zlib b/lfs/zlib index 19740fb7f..8197c9b45 100644 --- a/lfs/zlib +++ b/lfs/zlib @@ -77,6 +77,10 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + + # Fix for CVE-2022-37434 + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch + cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/patches/zlib-CVE-2022-37434.patch b/src/patches/zlib-CVE-2022-37434.patch new file mode 100644 index 000000000..95e9f173f --- /dev/null +++ b/src/patches/zlib-CVE-2022-37434.patch @@ -0,0 +1,29 @@ +commit eff308af425b67093bab25f80f1ae950166bece1 +Author: Mark Adler +Date: Sat Jul 30 15:51:11 2022 -0700 + + Fix a bug when getting a gzip header extra field with inflate(). + + If the extra field was larger than the space the user provided with + inflateGetHeader(), and if multiple calls of inflate() delivered + the extra header data, then there could be a buffer overflow of the + provided space. This commit assures that provided space is not + exceeded. + +diff --git a/inflate.c b/inflate.c +index 7be8c63..7a72897 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy);