From patchwork Mon Nov  7 21:14:28 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 6074
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4N5kWY5m1wz3wcM
	for <patchwork@web04.haj.ipfire.org>; Mon,  7 Nov 2022 21:14:33 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4N5kWX59CPz2Nc;
	Mon,  7 Nov 2022 21:14:32 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4N5kWX4PVSz2xhb;
	Mon,  7 Nov 2022 21:14:32 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4N5kWW71r4z2xRt
 for <development@lists.ipfire.org>; Mon,  7 Nov 2022 21:14:31 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4N5kWW2LyYzyn;
 Mon,  7 Nov 2022 21:14:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1667855671;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=210JwqwxckoyJCk7FuBkrqsvdMibaZ3tral2rwqu8GY=;
 b=g+lBWZkcQu2ivhPON0B5vFTVKC/nyclyBgd/Jj7Cxenk3xe/+e0UsTynYz/hsg+5XH6YrY
 ECtAOXvoBrbdN38e/xydlNOQUdpuUpOZocqjhcT8UJngcLtfIpy52Eb3fIoYyeyuWANWs/
 MN0KO4+j+fmIrpd7JB0213FGom1HaBEpCfvZt2gjcn4HQ7UkQp3tQvXhsryegeuXvNAQgS
 yTImLUavMrUCVdCFCaYximiz38RpSWau4y5N/2tXg6BAM57xWUlASRS0l+Hv2UCZjGX6yL
 FK5Hw8etn8qCg81nqDVEG2tsqnsiexZmKAFjdxqG+haaW8GM3zQLcUQegcu5ug==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1667855671;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=210JwqwxckoyJCk7FuBkrqsvdMibaZ3tral2rwqu8GY=;
 b=hzc7+mWYvdTpz3YHH1ek2HP6EBiGmJRogvqd3HbiOaOU2HXSUSmc2W6FkcVTmjnHcK7qdJ
 6RQFOFQBow4VDdBA==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] zlib: Update to version 1.2.13
Date: Mon,  7 Nov 2022 22:14:28 +0100
Message-Id: <20221107211428.3219507-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- Update from version 1.2.12 to 1.2.13
- Update of rootfile
- Patches for CVE-2022-37434 removed as they are now integarted in the source tarball
- Changelog
    Changes in 1.2.13 (13 Oct 2022)
	- Fix configure issue that discarded provided CC definition
	- Correct incorrect inputs provided to the CRC functions
	- Repair prototypes and exporting of new CRC functions
	- Fix inflateBack to detect invalid input with distances too far
	- Have infback() deliver all of the available output up to any error
	- Fix a bug when getting a gzip header extra field with inflate(CVE-2022-37434)
	- Fix bug in block type selection when Z_FIXED used
	- Tighten deflateBound bounds
	- Remove deleted assembler code references
	- Various portability and appearance improvements

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/zlib              |  2 +-
 lfs/zlib                                  | 10 +++-----
 src/patches/zlib-CVE-2022-37434-fix.patch | 26 --------------------
 src/patches/zlib-CVE-2022-37434.patch     | 29 -----------------------
 4 files changed, 4 insertions(+), 63 deletions(-)
 delete mode 100644 src/patches/zlib-CVE-2022-37434-fix.patch
 delete mode 100644 src/patches/zlib-CVE-2022-37434.patch

diff --git a/config/rootfiles/common/zlib b/config/rootfiles/common/zlib
index 0e01dc00e..c1f23ab8a 100644
--- a/config/rootfiles/common/zlib
+++ b/config/rootfiles/common/zlib
@@ -1,6 +1,6 @@
 lib/libz.so
 lib/libz.so.1
-lib/libz.so.1.2.12
+lib/libz.so.1.2.13
 #usr/include/zconf.h
 #usr/include/zlib.h
 #usr/lib/libz.a
diff --git a/lfs/zlib b/lfs/zlib
index f24489677..858abd0cd 100644
--- a/lfs/zlib
+++ b/lfs/zlib
@@ -24,10 +24,10 @@
 
 include Config
 
-VER        = 1.2.12
+VER        = 1.2.13
 
 THISAPP    = zlib-$(VER)
-DL_FILE    = $(THISAPP).tar.gz
+DL_FILE    = $(THISAPP).tar.xz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 
@@ -47,7 +47,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 76e7b26f8dc761b0eae6276cc32bc36fa74a88197699c95d158c1548f97b80db5e39d21144ecd6ee3eb90c42730aa5f387f9952d9a3f0930b56e9dfcd12f1e67
+$(DL_FILE)_BLAKE2 = cefcd25989ce27e7d339af2a88455fcf64f6f5e647bedb0f05a45e4370a885fe45a60c023aa63e79b8ecf20ed3254d0052245f33f5769aca2838b42242be14a8
 
 install : $(TARGET)
 
@@ -78,10 +78,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
 
-	# Apply fix for CVE-2022-37434 (and a fix for the fix)
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch
-	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434-fix.patch
-
 	cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
diff --git a/src/patches/zlib-CVE-2022-37434-fix.patch b/src/patches/zlib-CVE-2022-37434-fix.patch
deleted file mode 100644
index ba8e39535..000000000
--- a/src/patches/zlib-CVE-2022-37434-fix.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
-Author: Mark Adler <fork@madler.net>
-Date:   Mon Aug 8 10:50:09 2022 -0700
-
-    Fix extra field processing bug that dereferences NULL state->head.
-    
-    The recent commit to fix a gzip header extra field processing bug
-    introduced the new bug fixed here.
-
-diff --git a/inflate.c b/inflate.c
-index 7a72897..2a3c4fe 100644
---- a/inflate.c
-+++ b/inflate.c
-@@ -763,10 +763,10 @@ int flush;
-                 copy = state->length;
-                 if (copy > have) copy = have;
-                 if (copy) {
--                    len = state->head->extra_len - state->length;
-                     if (state->head != Z_NULL &&
-                         state->head->extra != Z_NULL &&
--                        len < state->head->extra_max) {
-+                        (len = state->head->extra_len - state->length) <
-+                            state->head->extra_max) {
-                         zmemcpy(state->head->extra + len, next,
-                                 len + copy > state->head->extra_max ?
-                                 state->head->extra_max - len : copy);
diff --git a/src/patches/zlib-CVE-2022-37434.patch b/src/patches/zlib-CVE-2022-37434.patch
deleted file mode 100644
index 95e9f173f..000000000
--- a/src/patches/zlib-CVE-2022-37434.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-commit eff308af425b67093bab25f80f1ae950166bece1
-Author: Mark Adler <fork@madler.net>
-Date:   Sat Jul 30 15:51:11 2022 -0700
-
-    Fix a bug when getting a gzip header extra field with inflate().
-    
-    If the extra field was larger than the space the user provided with
-    inflateGetHeader(), and if multiple calls of inflate() delivered
-    the extra header data, then there could be a buffer overflow of the
-    provided space. This commit assures that provided space is not
-    exceeded.
-
-diff --git a/inflate.c b/inflate.c
-index 7be8c63..7a72897 100644
---- a/inflate.c
-+++ b/inflate.c
-@@ -763,9 +763,10 @@ int flush;
-                 copy = state->length;
-                 if (copy > have) copy = have;
-                 if (copy) {
-+                    len = state->head->extra_len - state->length;
-                     if (state->head != Z_NULL &&
--                        state->head->extra != Z_NULL) {
--                        len = state->head->extra_len - state->length;
-+                        state->head->extra != Z_NULL &&
-+                        len < state->head->extra_max) {
-                         zmemcpy(state->head->extra + len, next,
-                                 len + copy > state->head->extra_max ?
-                                 state->head->extra_max - len : copy);