import zlib-1.2.11-21.el8_7

2023-03-28 09:22:17 +00:00 · 2023-03-28 09:22:17 +00:00 · 30f8cd5cc1
commit 30f8cd5cc1
parent 561a73bd5c
4 changed files with 97 additions and 1 deletions
--- a/SOURCES/zlib-1.2.11-IBM-Z-hw-accelrated-deflate-strm-adler-fix.patch
+++ b/SOURCES/zlib-1.2.11-IBM-Z-hw-accelrated-deflate-strm-adler-fix.patch
@ -0,0 +1,11 @@
 --- a/contrib/s390/dfltcc.c
 +++ b/contrib/s390/dfltcc.c
@@ -623,7 +623,7 @@
     state->bits = param->sbb;
     state->whave = param->hl;
     state->wnext = (param->ho + param->hl) & ((1 << HB_BITS) - 1);
 -    state->check = state->flags ? ZSWAP32(param->cv) : param->cv;
 +    strm->adler = state->check = state->flags ? ZSWAP32(param->cv) : param->cv;
     if (cc == DFLTCC_CC_OP2_CORRUPT && param->oesc != 0) {
         /* Report an error if stream is corrupted */
         state->mode = BAD;
--- a/SOURCES/zlib-1.2.11-cve-2022-37434.patch
+++ b/SOURCES/zlib-1.2.11-cve-2022-37434.patch
@ -0,0 +1,35 @@
 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
 From: Mark Adler <fork@madler.net>
 Date: Sat, 30 Jul 2022 15:51:11 -0700
 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
 inflate().
 If the extra field was larger than the space the user provided with
 inflateGetHeader(), and if multiple calls of inflate() delivered
 the extra header data, then there could be a buffer overflow of the
 provided space. This commit assures that provided space is not
 exceeded.
 ---
 inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/inflate.c b/inflate.c
 index 7be8c63..7a72897 100644
 --- a/inflate.c
 +++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 +                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
 -                        state->head->extra != Z_NULL) {
 -                        len = state->head->extra_len - state->length;
 +                        state->head->extra != Z_NULL &&
 +                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
 -- 
 2.35.3
--- a/SOURCES/zlib-1.2.11-cve-2022-37434_2.patch
+++ b/SOURCES/zlib-1.2.11-cve-2022-37434_2.patch
@ -0,0 +1,32 @@
 From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
 From: Mark Adler <fork@madler.net>
 Date: Mon, 8 Aug 2022 10:50:09 -0700
 Subject: [PATCH] Fix extra field processing bug that dereferences NULL
 state->head.
 The recent commit to fix a gzip header extra field processing bug
 introduced the new bug fixed here.
 ---
 inflate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/inflate.c b/inflate.c
 index 7a72897..2a3c4fe 100644
 --- a/inflate.c
 +++ b/inflate.c
@@ -763,10 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 -                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
                         state->head->extra != Z_NULL &&
 -                        len < state->head->extra_max) {
 +                        (len = state->head->extra_len - state->length) <
 +                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
 -- 
 2.35.3
--- a/SPECS/zlib.spec
+++ b/SPECS/zlib.spec
@ -3,7 +3,7 @@
 Name:    zlib
 Version: 1.2.11
-Release: 19%{?dist}
+Release: 21%{?dist}
 Summary: The compression and decompression library
 # /contrib/dotzlib/ have Boost license
 License: zlib and Boost
@ -35,6 +35,13 @@ Patch10: zlib-1.2.11-CVE-2018-25032.patch
 # Fix the compressBound() on z15
 Patch11: zlib-1.2.11-IBM-Z-hw-accelrated-deflate-compressBound-fix.patch
 # Fix CVE-2022-37434
 Patch12: zlib-1.2.11-cve-2022-37434.patch
 Patch13: zlib-1.2.11-cve-2022-37434_2.patch
 # Fix setting strm.adler on z15
 Patch14: zlib-1.2.11-IBM-Z-hw-accelrated-deflate-strm-adler-fix.patch
 BuildRequires: automake, autoconf, libtool
 %description
@ -98,6 +105,10 @@ developing applications which use minizip.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 iconv -f iso-8859-2 -t utf-8 < ChangeLog > ChangeLog.tmp
 mv ChangeLog.tmp ChangeLog
@ -177,6 +188,13 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 %changelog
 * Wed Oct 12 2022 Ilya Leoshkevich <iii@linux.ibm.com> - 1.2.11-21
 - Fix for IBM strm.adler rhbz#2134074
 * Tue Aug 09 2022 Matej Mužila <mmuzila@redhat.com> - 1.2.11-20
 - Fix heap-based buffer over-read or buffer overflow in inflate in inflate.c
 - Resolves: CVE-2022-37434
 * Mon May 16 2022 Lukas Javorsky <ljavorsk@redhat.com> - 1.2.11-19
 - Apply IBM patch for compressBound() function
 - Source from https://github.com/madler/zlib/issues/410#issuecomment-947212824