From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 07 Sep 2022 12:29:12 +0200 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by lore.white.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1oVsIw-009Vj2-Ii for lore@lore.pengutronix.de; Wed, 07 Sep 2022 12:29:12 +0200 Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1oVsIx-00007j-Ex; Wed, 07 Sep 2022 12:29:11 +0200 Received: from mail-dbaeur03on2086.outbound.protection.outlook.com ([40.107.104.86] helo=EUR03-DBA-obe.outbound.protection.outlook.com) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oVsIH-00007N-6D for ptxdist@pengutronix.de; Wed, 07 Sep 2022 12:28:30 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kbe4ZUVxeLTM2ZsPmndGRIji6PLMJSCfGyqXatKMM53Ug7mx5uwyaV68VSyvWzivFR+oaijxNgeQ/B04clspOubqRUDd5UHRxVeHZSTMqN5Q6FXE5Osejiav2bwrccu25zy6wCssKhRwCCYJ56blnxDbRAto5lUAwDTIKaFBx3+T/tN0QCJn/9bh0WRBICKZUiB4EAyPib0rg4XOAsxcQ0rnDypnGOwafv/kSmW1KOvBSB5/1zDWJxTslrIMSlgteq7EwSiRNjN3Uyfz/4zsLArFFr8FC2p8TzwEvQmBgJSbDrHBnU8ndxGSgX/yEKEaqZTnoGOn3ZdNlfTp8TI+TQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8VVAPOIxIxsMvt3B6oh6FsOaAdmKGnoiVfrjK4xQ7+E=; b=LAI0+STbjfeNpL9tWf12adcOMVsRJDha9M++yEKLrFj9bg8OMHIOfm3+uleGu0YCT7EsZAZadq73OKIve/WGejiAHWg8rW07Tj0kCQ9QCIrFc3nHM3HMcl7O160tgRC7Ibcn911n/Ojlzr4qmKErIHDaO5KftLMgQJkmD79iRT4FNErXVIDEQvplkmEyzKXvXD3ngoaNQ+vwyTUQWvw4Gaw/egd9y5nMr4d6zDi9NpCLVrfKTOms3nAPO/8N6smSB0J6gCLCFn8O/UBGpJRIYzIqNujRspqEVsG+h6w7yngikb3OfDwozrkeEIfmO7Wj54tslPvHSD1a8IUADLY4uA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com; dkim=pass header.d=t2data.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8VVAPOIxIxsMvt3B6oh6FsOaAdmKGnoiVfrjK4xQ7+E=; b=fGB31oSr7SBdBZqjEWs+FBiVLqCr4X3Sq4Ge225QMu0kdCjnXpPO3EVNpbcZw7DC4/kwH9wEDcJKL6/s+7GjOlPPFpZ5I94ja7wtX1fgtNFr4Yec8h0FtR7H4KN7NcNMas/4W7iQCgyPvmQt3hbD3ouiwID8saxIkLVFQMJJd5o= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=t2data.com; Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) by DU0P251MB0802.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:3be::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5588.16; Wed, 7 Sep 2022 10:28:26 +0000 Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::a130:b2a7:9ffa:f1b6]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM ([fe80::a130:b2a7:9ffa:f1b6%7]) with mapi id 15.20.5588.010; Wed, 7 Sep 2022 10:28:25 +0000 From: Christian Melki To: ptxdist@pengutronix.de Date: Wed, 7 Sep 2022 12:28:11 +0200 Message-Id: <20220907102811.628405-1-christian.melki@t2data.com> X-Mailer: git-send-email 2.34.1 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-ClientProxiedBy: GV3P280CA0099.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:8::34) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e6690eed-ef0f-4161-0ac6-08da90bbb294 X-MS-TrafficTypeDiagnostic: DU0P251MB0802:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: D3GIDoNY+gP4+1nPYZ6zWsaRRAZ2gdEvBu+KXApNhx7pn/eMsQx1gQPDc11AFhmozrdzOk1MV+AUSFZz0nT2RMQdF+e+PckWI1a7zDWVEzsgfy5B9RVCLu1Azv+dUHTtd3qjXh9cY9DB4JhNTvh0csQFEOQ52Y/HofU/fnj0+gEQotxhPlhgAc/2wlYXni/a+YqNsmusKHNlfAy4DXvi32Rahv2J+usQ4azGeITY0KnThcYCXkeiwYCzfVTZp63kydSiBIUYQJbM7gmK5QS7DNksJx7gCpDcKOiXde3fS1XM/FY6gXAasjrYK1SweSLsMZlMRwh91eI0ZfXC8GHIpSbKgmdU7VOaC9I3zLn4ubYn60Ga2TToughrKOtTbVK8Q78M20IY6m6+EYkYmLikVu1Ikws+Hjwkky8lXV+zdWXUznJn7hScbSn9Nd7WtBIJbMAtzHZKt8kHx7mnNrfImtgqZvGFi1PemwLOXsUNvP2NuZpIgnZvlz2XRReF4TnB4AFQX2SQItCCTLs9RHtOoGUgfgutCFIkZxTW+FI+KFeIqlD2xF8f3ASpGhq2i1y1TdzU5gfe632YC/DxPKANUxkiJ4j/QS+cIJEq2kORuJpZsd83kCWuKB/gViPGK6aFNxK3AHJookjLq9RceeEzh54E/dwL68IFz7tY/n8vACzWIieMuHl7ebHZQ4lRxMsquoCuAgogGRVMBH+7D4jhEd8/QJI0tEH5GQlciYvqANLYnhMnpp6nQ98xMccNjMibjN2yrSBYxzY/OF/BGYkIGFihnK+kogx0aUyRXIzgV68= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(346002)(366004)(376002)(39830400003)(396003)(136003)(26005)(2906002)(66556008)(83380400001)(6512007)(86362001)(66476007)(1076003)(8676002)(66946007)(186003)(8936002)(2616005)(38350700002)(38100700002)(36756003)(44832011)(5660300002)(41300700001)(316002)(6916009)(6506007)(52116002)(6666004)(478600001)(6486002)(966005); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?2vuTjcq2X7mtBrsOMRw3ySlqKiza5rFax/rimfS7xtHU58x/Z7isFkU0ePMk?= =?us-ascii?Q?u2CIxynVFuzI3xQpsE6PKznnhCLvL56WN6V4Jw3IDNUHIlF6zuy7I+WH/Buj?= =?us-ascii?Q?VHmAFQGuQlFm2PfA+XDJsyA4jetCbzEgneGm4hvbaPkM2o7rlOYrTFR1qP/Z?= =?us-ascii?Q?CLc8N9/iPp/KSKd71R7dRuOJ5xWLIlDEhpwbW9yuaqE6xHjQuESjbbDHIstS?= =?us-ascii?Q?x5L9BN8iSr+GaiVcT72KQb8+BhCx5jtXdzuXNouEBdgCBtzarE4D28oCokrV?= =?us-ascii?Q?vUOMYGMYmXXpK/cweoC6Ifu6bsaa9cLG4nNLeAaaaGyIjbF+wlWVSTWXF10M?= =?us-ascii?Q?eC2+tbLU1h6Jz+WtI7HMr4Ag6d8bJWVnR804rvmFA5gfABIe+hj7bMG/OQBN?= =?us-ascii?Q?k5EhMnQbNdEHTnCq/4Bmjunbk5fsXLnKtEGgTtIgVoR+QThcSfBsW1ebfQ17?= =?us-ascii?Q?89ay4/Z3H/S1H8y3ZpJ6X3lqD5eSXNeP1Syn9n52yw4Y86TBdvkLBhwORayq?= =?us-ascii?Q?ZD7i4wR245MqUkF8LO6ksAMbPRL5HIMiF07CCV8UaOsHLGmKpMTlDpkzDuyt?= =?us-ascii?Q?R8AmvV0Ekc1vVf789rURQJAl3WF+NHStUifz8VxmYcrawY3tpYrtkgNW652i?= =?us-ascii?Q?jvsWDem3/NDR511nSAAPFZklor0vQtVAUSoWWsxh28Kn3/6DjQfPevHQYU32?= =?us-ascii?Q?G+3Af+Y152oEy2XSlS+uz6XtR0RDiafqR0/1B0ZQVGmMxWkU1MWe/BTzqQyw?= =?us-ascii?Q?TUQoHoRU9sSRiuOFoTzf5QndWZ3FuVbZC24Xxy6ExJOtBh+U/Q9ZwK5Rrm5X?= =?us-ascii?Q?oM3diptFzWPhJBlFoUzF6lLeepkAF5+kQQaWauJeZVb7buo5KP2EhPPn8I0J?= =?us-ascii?Q?ccxPAfPrPVsomCc/rHREcA09F6WssPDqAp0nfoAHV8lBUVSpIqkEoTFsl28d?= =?us-ascii?Q?mn03Ofjj2dn//aOXOUzejhuDF32iilucy5XT4n2pqXMMEOUIN4G+66/bBAuA?= =?us-ascii?Q?vGsstfCN4fYk2uK98iFZ9Z5fraNCJJGuW6efIS4J9ss+x2+9+f+Py/7P0Kkf?= =?us-ascii?Q?1iHuM1mo2B+thM7/17zv13vwOC/2fXzB5js1fT0syy2jAIZcAOXkxjEvvwMs?= =?us-ascii?Q?WUrp5R+0eIEzVrMvZ+wXf1TDOsoxjqpVEs4rpfMGuecJIgI4M2YgBQ3jVYSY?= =?us-ascii?Q?LPCqx5eEcJHQW4OYLRM4O3nnqS9tFjGHj7qeBDkO1RnOCxiWY6vtAzVMQJOO?= =?us-ascii?Q?TyWw6pSOfI62Zbjoc2oMQLThe4iINssYRHA7QV6mubr/piN2+DlbZtH6C4fL?= =?us-ascii?Q?LopUlKGSXdnEL9F2NpksxVezwDVI7wgV0Ff5EUWOtb4MrYfJqgkuorvXnQp6?= =?us-ascii?Q?fqc00qELJXw/dXx//rITaxDnJfZSzf2sW3v8Fjatm3bP71as8p6GsKbTUN9v?= =?us-ascii?Q?rTV2TfllZyWarNBvZ4FJjPXkHASxiXCxM+RRRCro96K4fCTAzECxwBNMaMUC?= =?us-ascii?Q?C2AlyJakb5/nL1zsIxXmEB+7mY2qd+YpQk4g+9BZYwi2wbsFC8Pt9VsRA2fM?= =?us-ascii?Q?QxyVSo7fenP/KhRP5d+ILlxfqnDVAWm6F05j6uwSeFrbFplDgE20+ka70FA9?= =?us-ascii?Q?1A=3D=3D?= X-OriginatorOrg: t2data.com X-MS-Exchange-CrossTenant-Network-Message-Id: e6690eed-ef0f-4161-0ac6-08da90bbb294 X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Sep 2022 10:28:25.6926 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bpXwwLTI0kGIbB247GS3CcAY9FYfZ3NVDHQViSnjYZnNXI2ifZ0JG6i4gKhq8uWEIrU0l1dhvdq9pgG0SWB578giQb1jPbm4XKjSm///cWo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P251MB0802 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on metis.ext.pengutronix.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Subject: [ptxdist] [PATCH] zlib: Fix CVE-2022-37434. X-BeenThere: ptxdist@pengutronix.de X-Mailman-Version: 2.1.29 Precedence: list List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Sender: "ptxdist" X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false Severity score of 9.8. https://nvd.nist.gov/vuln/detail/CVE-2022-37434 Patches taken from zlib develop branch. https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 Signed-off-by: Christian Melki --- ...etting-a-gzip-header-extra-field-wit.patch | 31 +++++++++++++++++++ ...processing-bug-that-dereferences-NUL.patch | 28 +++++++++++++++++ patches/zlib-1.2.12/series | 4 ++- 3 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 patches/zlib-1.2.12/0002-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch create mode 100644 patches/zlib-1.2.12/0003-Fix-extra-field-processing-bug-that-dereferences-NUL.patch diff --git a/patches/zlib-1.2.12/0002-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch b/patches/zlib-1.2.12/0002-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch new file mode 100644 index 000000000..e8b36be46 --- /dev/null +++ b/patches/zlib-1.2.12/0002-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch @@ -0,0 +1,31 @@ +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- + inflate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7be8c63662a7..7a728974923a 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/patches/zlib-1.2.12/0003-Fix-extra-field-processing-bug-that-dereferences-NUL.patch b/patches/zlib-1.2.12/0003-Fix-extra-field-processing-bug-that-dereferences-NUL.patch new file mode 100644 index 000000000..381c52128 --- /dev/null +++ b/patches/zlib-1.2.12/0003-Fix-extra-field-processing-bug-that-dereferences-NUL.patch @@ -0,0 +1,28 @@ +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a728974923a..2a3c4fe98464 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); diff --git a/patches/zlib-1.2.12/series b/patches/zlib-1.2.12/series index ac92b3ba7..5287c5835 100644 --- a/patches/zlib-1.2.12/series +++ b/patches/zlib-1.2.12/series @@ -1,4 +1,6 @@ # generated by git-ptx-patches #tag:base --start-number 1 0001-Fix-configure-issue-that-discarded-provided-CC-defin.patch -# 5dfc5088b94416c3eb59b1a207bdec70 - git-ptx-patches magic +0002-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch +0003-Fix-extra-field-processing-bug-that-dereferences-NUL.patch +# cd27facc69e3374f1354a2aca57309ec - git-ptx-patches magic -- 2.34.1