From 59b95d4e2617656f4c6b15ca3ad8e6748c0a0f5b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Wed, 10 Aug 2022 10:50:57 +0000 Subject: [PATCH] zlib: Add fix for CVE-2022-37434 fix MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit https://www.openwall.com/lists/oss-security/2022/08/09/1 Signed-off-by: Peter Müller --- lfs/zlib | 3 ++- src/patches/zlib-CVE-2022-37434-fix.patch | 26 +++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 src/patches/zlib-CVE-2022-37434-fix.patch diff --git a/lfs/zlib b/lfs/zlib index 8197c9b457..f244896771 100644 --- a/lfs/zlib +++ b/lfs/zlib @@ -78,8 +78,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - # Fix for CVE-2022-37434 + # Apply fix for CVE-2022-37434 (and a fix for the fix) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434-fix.patch cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared cd $(DIR_APP) && make $(MAKETUNING) diff --git a/src/patches/zlib-CVE-2022-37434-fix.patch b/src/patches/zlib-CVE-2022-37434-fix.patch new file mode 100644 index 0000000000..ba8e395359 --- /dev/null +++ b/src/patches/zlib-CVE-2022-37434-fix.patch @@ -0,0 +1,26 @@ +commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d +Author: Mark Adler +Date: Mon Aug 8 10:50:09 2022 -0700 + + Fix extra field processing bug that dereferences NULL state->head. + + The recent commit to fix a gzip header extra field processing bug + introduced the new bug fixed here. + +diff --git a/inflate.c b/inflate.c +index 7a72897..2a3c4fe 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); -- 2.39.5