From: Peter Müller Date: Wed, 10 Aug 2022 10:50:57 +0000 (+0000) Subject: zlib: Add fix for CVE-2022-37434 fix X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=59b95d4e2617656f4c6b15ca3ad8e6748c0a0f5b;p=people%2Fms%2Fipfire-2.x.git zlib: Add fix for CVE-2022-37434 fix https://www.openwall.com/lists/oss-security/2022/08/09/1 Signed-off-by: Peter Müller --- diff --git a/lfs/zlib b/lfs/zlib index 8197c9b457..f244896771 100644 --- a/lfs/zlib +++ b/lfs/zlib @@ -78,8 +78,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - # Fix for CVE-2022-37434 + # Apply fix for CVE-2022-37434 (and a fix for the fix) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434-fix.patch cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared cd $(DIR_APP) && make $(MAKETUNING) diff --git a/src/patches/zlib-CVE-2022-37434-fix.patch b/src/patches/zlib-CVE-2022-37434-fix.patch new file mode 100644 index 0000000000..ba8e395359 --- /dev/null +++ b/src/patches/zlib-CVE-2022-37434-fix.patch @@ -0,0 +1,26 @@ +commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d +Author: Mark Adler +Date: Mon Aug 8 10:50:09 2022 -0700 + + Fix extra field processing bug that dereferences NULL state->head. + + The recent commit to fix a gzip header extra field processing bug + introduced the new bug fixed here. + +diff --git a/inflate.c b/inflate.c +index 7a72897..2a3c4fe 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy);