diff --git a/SOURCES/zlib-1.2.11-IBM-Z-hw-accelrated-deflate-compressBound-fix.patch b/SOURCES/zlib-1.2.11-IBM-Z-hw-accelrated-deflate-compressBound-fix.patch new file mode 100644 index 0000000..27454ab --- /dev/null +++ b/SOURCES/zlib-1.2.11-IBM-Z-hw-accelrated-deflate-compressBound-fix.patch @@ -0,0 +1,93 @@ +Source from https://gitlab.com/redhat/centos-stream/rpms/zlib/-/merge_requests/9 +Author: Ilya Leoshkevich + +--- a/compress.c ++++ b/compress.c +@@ -5,9 +5,15 @@ + + /* @(#) $Id$ */ + +-#define ZLIB_INTERNAL ++#include "zutil.h" + #include "zlib.h" + ++#ifdef DFLTCC ++# include "contrib/s390/dfltcc.h" ++#else ++#define DEFLATE_BOUND_COMPLEN(source_len) 0 ++#endif ++ + /* =========================================================================== + Compresses the source buffer into the destination buffer. The level + parameter has the same meaning as in deflateInit. sourceLen is the byte +@@ -81,6 +87,12 @@ int ZEXPORT compress (dest, destLen, source, sourceLen) + uLong ZEXPORT compressBound (sourceLen) + uLong sourceLen; + { ++ uLong complen = DEFLATE_BOUND_COMPLEN(sourceLen); ++ ++ if (complen > 0) ++ /* Architecture-specific code provided an upper bound. */ ++ return complen + ZLIB_WRAPLEN; ++ + return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + + (sourceLen >> 25) + 13; + } +--- a/contrib/s390/dfltcc.h ++++ b/contrib/s390/dfltcc.h +@@ -12,6 +12,28 @@ void ZLIB_INTERNAL dfltcc_reset OF((z_streamp strm, uInt size)); + voidpf ZLIB_INTERNAL dfltcc_alloc_window OF((z_streamp strm, uInt items, + uInt size)); + void ZLIB_INTERNAL dfltcc_free_window OF((z_streamp strm, voidpf w)); ++#define DFLTCC_BLOCK_HEADER_BITS 3 ++#define DFLTCC_HLITS_COUNT_BITS 5 ++#define DFLTCC_HDISTS_COUNT_BITS 5 ++#define DFLTCC_HCLENS_COUNT_BITS 4 ++#define DFLTCC_MAX_HCLENS 19 ++#define DFLTCC_HCLEN_BITS 3 ++#define DFLTCC_MAX_HLITS 286 ++#define DFLTCC_MAX_HDISTS 30 ++#define DFLTCC_MAX_HLIT_HDIST_BITS 7 ++#define DFLTCC_MAX_SYMBOL_BITS 16 ++#define DFLTCC_MAX_EOBS_BITS 15 ++#define DFLTCC_MAX_PADDING_BITS 7 ++#define DEFLATE_BOUND_COMPLEN(source_len) \ ++ ((DFLTCC_BLOCK_HEADER_BITS + \ ++ DFLTCC_HLITS_COUNT_BITS + \ ++ DFLTCC_HDISTS_COUNT_BITS + \ ++ DFLTCC_HCLENS_COUNT_BITS + \ ++ DFLTCC_MAX_HCLENS * DFLTCC_HCLEN_BITS + \ ++ (DFLTCC_MAX_HLITS + DFLTCC_MAX_HDISTS) * DFLTCC_MAX_HLIT_HDIST_BITS + \ ++ (source_len) * DFLTCC_MAX_SYMBOL_BITS + \ ++ DFLTCC_MAX_EOBS_BITS + \ ++ DFLTCC_MAX_PADDING_BITS) >> 3) + int ZLIB_INTERNAL dfltcc_can_inflate OF((z_streamp strm)); + typedef enum { + DFLTCC_INFLATE_CONTINUE, +diff --git a/contrib/s390/dfltcc_deflate.h b/contrib/s390/dfltcc_deflate.h +index 03f7f53..46acfc5 100644 +--- a/contrib/s390/dfltcc_deflate.h ++++ b/contrib/s390/dfltcc_deflate.h +@@ -46,8 +46,7 @@ int ZLIB_INTERNAL dfltcc_deflate_get_dictionary OF((z_streamp strm, + #define DEFLATE_BOUND_ADJUST_COMPLEN(strm, complen, source_len) \ + do { \ + if (dfltcc_can_deflate((strm))) \ +- (complen) = (3 + 5 + 5 + 4 + 19 * 3 + (286 + 30) * 7 + \ +- (source_len) * 16 + 15 + 7) >> 3; \ ++ (complen) = DEFLATE_BOUND_COMPLEN(source_len); \ + } while (0) + #define DEFLATE_NEED_CONSERVATIVE_BOUND(strm) (dfltcc_can_deflate((strm))) + #define DEFLATE_HOOK dfltcc_deflate +diff --git a/zutil.h b/zutil.h +index 14277bc..cf90e49 100644 +--- a/zutil.h ++++ b/zutil.h +@@ -87,6 +87,8 @@ extern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */ + + #define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */ + ++#define ZLIB_WRAPLEN 6 /* zlib format overhead */ ++ + /* target dependencies */ + + #if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32)) diff --git a/SPECS/zlib.spec b/SPECS/zlib.spec index 5c9a94b..07877f7 100644 --- a/SPECS/zlib.spec +++ b/SPECS/zlib.spec @@ -3,7 +3,7 @@ Name: zlib Version: 1.2.11 -Release: 19%{?dist} +Release: 20%{?dist} Summary: The compression and decompression library # /contrib/dotzlib/ have Boost license License: zlib and Boost @@ -32,8 +32,10 @@ Patch8: zlib-1.2.11-IBM-DFLTCC-compression-level-switching-issues.patch # fixed inflateSyncPoint() bad return value on z15 Patch9: zlib-1.2.11-inflateSyncPoint-return-value-fix.patch Patch10: zlib-1.2.11-CVE-2018-25032.patch +# Fix the compressBound() on z15 +Patch11: zlib-1.2.11-IBM-Z-hw-accelrated-deflate-compressBound-fix.patch -# Patches for CVE-2022-37434 +# Fix CVE-2022-37434 Patch12: zlib-1.2.11-cve-2022-37434.patch Patch13: zlib-1.2.11-cve-2022-37434_2.patch @@ -99,9 +101,11 @@ developing applications which use minizip. %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %patch12 -p1 %patch13 -p1 + iconv -f iso-8859-2 -t utf-8 < ChangeLog > ChangeLog.tmp mv ChangeLog.tmp ChangeLog @@ -180,10 +184,15 @@ find $RPM_BUILD_ROOT -name '*.la' -delete %changelog -* Tue Aug 09 2022 Matej Mužila - 1.2.11.19 +* Tue Aug 09 2022 Matej Mužila - 1.2.11-20 - Fix heap-based buffer over-read or buffer overflow in inflate in inflate.c - Resolves: CVE-2022-37434 +* Mon May 16 2022 Lukas Javorsky - 1.2.11-19 +- Apply IBM patch for compressBound() function +- Source from https://github.com/madler/zlib/issues/410#issuecomment-947212824 +- Resolves: #2056900 + * Tue Mar 29 2022 Matej Mužila - 1.2.11-18 - Resolves: CVE-2018-25032