79f270
import zlib-1.2.11-32.el9_0
Authored and Committed by 
centosrcm
2 years ago
SOURCES/zlib-1.2.11-cve-2022-37434.patch
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
|
|
2
|
+
From: Mark Adler <fork@madler.net>
|
|
3
|
+
Date: Sat, 30 Jul 2022 15:51:11 -0700
|
|
4
|
+
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
|
|
5
|
+
inflate().
|
|
6
|
+
|
|
7
|
+
If the extra field was larger than the space the user provided with
|
|
8
|
+
inflateGetHeader(), and if multiple calls of inflate() delivered
|
|
9
|
+
the extra header data, then there could be a buffer overflow of the
|
|
10
|
+
provided space. This commit assures that provided space is not
|
|
11
|
+
exceeded.
|
|
12
|
+
---
|
|
13
|
+
inflate.c | 5 +++--
|
|
14
|
+
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
15
|
+
|
|
16
|
+
diff --git a/inflate.c b/inflate.c
|
|
17
|
+
index 7be8c63..7a72897 100644
|
|
18
|
+
--- a/inflate.c
|
|
19
|
+
+++ b/inflate.c
|
|
20
|
+
@@ -763,9 +763,10 @@ int flush;
|
|
21
|
+
copy = state->length;
|
|
22
|
+
if (copy > have) copy = have;
|
|
23
|
+
if (copy) {
|
|
24
|
+
+ len = state->head->extra_len - state->length;
|
|
25
|
+
if (state->head != Z_NULL &&
|
|
26
|
+
- state->head->extra != Z_NULL) {
|
|
27
|
+
- len = state->head->extra_len - state->length;
|
|
28
|
+
+ state->head->extra != Z_NULL &&
|
|
29
|
+
+ len < state->head->extra_max) {
|
|
30
|
+
zmemcpy(state->head->extra + len, next,
|
|
31
|
+
len + copy > state->head->extra_max ?
|
|
32
|
+
state->head->extra_max - len : copy);
|
|
33
|
+
--
|
|
34
|
+
2.35.3
|
|
35
|
+
|
SOURCES/zlib-1.2.11-cve-2022-37434_2.patch
ADDED
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
|
|
2
|
+
From: Mark Adler <fork@madler.net>
|
|
3
|
+
Date: Mon, 8 Aug 2022 10:50:09 -0700
|
|
4
|
+
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
|
|
5
|
+
state->head.
|
|
6
|
+
|
|
7
|
+
The recent commit to fix a gzip header extra field processing bug
|
|
8
|
+
introduced the new bug fixed here.
|
|
9
|
+
---
|
|
10
|
+
inflate.c | 4 ++--
|
|
11
|
+
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
12
|
+
|
|
13
|
+
diff --git a/inflate.c b/inflate.c
|
|
14
|
+
index 7a72897..2a3c4fe 100644
|
|
15
|
+
--- a/inflate.c
|
|
16
|
+
+++ b/inflate.c
|
|
17
|
+
@@ -763,10 +763,10 @@ int flush;
|
|
18
|
+
copy = state->length;
|
|
19
|
+
if (copy > have) copy = have;
|
|
20
|
+
if (copy) {
|
|
21
|
+
- len = state->head->extra_len - state->length;
|
|
22
|
+
if (state->head != Z_NULL &&
|
|
23
|
+
state->head->extra != Z_NULL &&
|
|
24
|
+
- len < state->head->extra_max) {
|
|
25
|
+
+ (len = state->head->extra_len - state->length) <
|
|
26
|
+
+ state->head->extra_max) {
|
|
27
|
+
zmemcpy(state->head->extra + len, next,
|
|
28
|
+
len + copy > state->head->extra_max ?
|
|
29
|
+
state->head->extra_max - len : copy);
|
|
30
|
+
--
|
|
31
|
+
2.35.3
|
|
32
|
+
|
SPECS/zlib.spec
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
Name: zlib
|
|
4
4
|
Version: 1.2.11
|
|
5
|
-
Release:
|
|
5
|
+
Release: 32%{?dist}
|
|
6
6
|
Summary: Compression and decompression library
|
|
7
7
|
# /contrib/dotzlib/ have Boost license
|
|
8
8
|
License: zlib and Boost
|
|
@@ -37,6 +37,11 @@ Patch15: zlib-1.2.11-covscan-issues-rhel9.patch
|
|
|
37
37
|
Patch16: zlib-1.2.11-s390x-vectorize-crc32.patch
|
|
38
38
|
Patch18: zlib-1.2.11-CVE-2018-25032.patch
|
|
39
39
|
|
|
40
|
+
# Fix for CVE-2022-37434
|
|
41
|
+
Patch19: zlib-1.2.11-cve-2022-37434.patch
|
|
42
|
+
Patch20: zlib-1.2.11-cve-2022-37434_2.patch
|
|
43
|
+
|
|
44
|
+
|
|
40
45
|
BuildRequires: make
|
|
41
46
|
BuildRequires: automake, autoconf, libtool
|
|
42
47
|
|
|
@@ -105,6 +110,8 @@ developing applications which use minizip.
|
|
|
105
110
|
%patch15 -p1
|
|
106
111
|
%patch16 -p1
|
|
107
112
|
%patch18 -p1
|
|
113
|
+
%patch19 -p1
|
|
114
|
+
%patch20 -p1
|
|
108
115
|
|
|
109
116
|
|
|
110
117
|
iconv -f iso-8859-2 -t utf-8 < ChangeLog > ChangeLog.tmp
|
|
@@ -182,6 +189,10 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
|
|
|
182
189
|
|
|
183
190
|
|
|
184
191
|
%changelog
|
|
192
|
+
* Wed Aug 10 2022 Matej Mužila <mmuzila@redhat.com> - 1.2.11-32
|
|
193
|
+
- Fix heap-based buffer over-read or buffer overflow in inflate in inflate.c
|
|
194
|
+
- Resolves: CVE-2022-37434
|
|
195
|
+
|
|
185
196
|
* Mon Apr 25 2022 Matej Mužila <mmuzila@redhat.com> - 1.2.11-31.1
|
|
186
197
|
- Fix CVE-2018-25032
|
|
187
198
|
Resolves: CVE-2018-25032
|