import zlib-1.2.11-19.el8_6

This commit is contained in:
CentOS Sources 2022-10-25 03:32:06 -04:00 committed by root
parent 7854e903a5
commit df61269f49
3 changed files with 78 additions and 1 deletions

View File

@ -0,0 +1,35 @@
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/inflate.c b/inflate.c
index 7be8c63..7a72897 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.35.3

View File

@ -0,0 +1,32 @@
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/inflate.c b/inflate.c
index 7a72897..2a3c4fe 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,10 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.35.3

View File

@ -3,7 +3,7 @@
Name: zlib
Version: 1.2.11
Release: 18%{?dist}
Release: 19%{?dist}
Summary: The compression and decompression library
# /contrib/dotzlib/ have Boost license
License: zlib and Boost
@ -33,6 +33,10 @@ Patch8: zlib-1.2.11-IBM-DFLTCC-compression-level-switching-issues.patch
Patch9: zlib-1.2.11-inflateSyncPoint-return-value-fix.patch
Patch10: zlib-1.2.11-CVE-2018-25032.patch
# Patches for CVE-2022-37434
Patch12: zlib-1.2.11-cve-2022-37434.patch
Patch13: zlib-1.2.11-cve-2022-37434_2.patch
BuildRequires: automake, autoconf, libtool
%description
@ -95,6 +99,8 @@ developing applications which use minizip.
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch12 -p1
%patch13 -p1
iconv -f iso-8859-2 -t utf-8 < ChangeLog > ChangeLog.tmp
mv ChangeLog.tmp ChangeLog
@ -174,6 +180,10 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
%changelog
* Tue Aug 09 2022 Matej Mužila <mmuzila@redhat.com> - 1.2.11.19
- Fix heap-based buffer over-read or buffer overflow in inflate in inflate.c
- Resolves: CVE-2022-37434
* Tue Mar 29 2022 Matej Mužila <mmuzila@redhat.com> - 1.2.11-18
- Resolves: CVE-2018-25032