-62

pkgs/development/libraries/zlib/CVE-2022-37434.patch

reviewed

··· 1 1 - From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 2 2 - From: Mark Adler <fork@madler.net> 3 3 - Date: Sat, 30 Jul 2022 15:51:11 -0700 4 4 - Subject: [PATCH] Fix a bug when getting a gzip header extra field with 5 5 - inflate(). 6 6 - 7 7 - If the extra field was larger than the space the user provided with 8 8 - inflateGetHeader(), and if multiple calls of inflate() delivered 9 9 - the extra header data, then there could be a buffer overflow of the 10 10 - provided space. This commit assures that provided space is not 11 11 - exceeded. 12 12 - --- 13 13 - inflate.c | 5 +++-- 14 14 - 1 file changed, 3 insertions(+), 2 deletions(-) 15 15 - 16 16 - diff --git a/inflate.c b/inflate.c 17 17 - index 7be8c6366..7a7289749 100644 18 18 - --- a/inflate.c 19 19 - +++ b/inflate.c 20 20 - @@ -763,9 +763,10 @@ int flush; 21 21 - copy = state->length; 22 22 - if (copy > have) copy = have; 23 23 - if (copy) { 24 24 - + len = state->head->extra_len - state->length; 25 25 - if (state->head != Z_NULL && 26 26 - - state->head->extra != Z_NULL) { 27 27 - - len = state->head->extra_len - state->length; 28 28 - + state->head->extra != Z_NULL && 29 29 - + len < state->head->extra_max) { 30 30 - zmemcpy(state->head->extra + len, next, 31 31 - len + copy > state->head->extra_max ? 32 32 - state->head->extra_max - len : copy); 33 33 - 34 34 - From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 35 35 - From: Mark Adler <fork@madler.net> 36 36 - Date: Mon, 8 Aug 2022 10:50:09 -0700 37 37 - Subject: [PATCH] Fix extra field processing bug that dereferences NULL 38 38 - state->head. 39 39 - 40 40 - The recent commit to fix a gzip header extra field processing bug 41 41 - introduced the new bug fixed here. 42 42 - --- 43 43 - inflate.c | 4 ++-- 44 44 - 1 file changed, 2 insertions(+), 2 deletions(-) 45 45 - 46 46 - diff --git a/inflate.c b/inflate.c 47 47 - index 7a7289749..2a3c4fe98 100644 48 48 - --- a/inflate.c 49 49 - +++ b/inflate.c 50 50 - @@ -763,10 +763,10 @@ int flush; 51 51 - copy = state->length; 52 52 - if (copy > have) copy = have; 53 53 - if (copy) { 54 54 - - len = state->head->extra_len - state->length; 55 55 - if (state->head != Z_NULL && 56 56 - state->head->extra != Z_NULL && 57 57 - - len < state->head->extra_max) { 58 58 - + (len = state->head->extra_len - state->length) < 59 59 - + state->head->extra_max) { 60 60 - zmemcpy(state->head->extra + len, next, 61 61 - len + copy > state->head->extra_max ? 62 62 - state->head->extra_max - len : copy);

-51

pkgs/development/libraries/zlib/comprehensive-crc-validation-for-wrong-implementations.patch

reviewed

··· 1 1 - From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 2 2 - From: Mark Adler <madler@alumni.caltech.edu> 3 3 - Date: Wed, 30 Mar 2022 11:14:53 -0700 4 4 - Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. 5 5 - 6 6 - The previous releases of zlib were not sensitive to incorrect CRC 7 7 - inputs with bits set above the low 32. This commit restores that 8 8 - behavior, so that applications with such bugs will continue to 9 9 - operate as before. 10 10 - --- 11 11 - crc32.c | 8 ++++---- 12 12 - 1 file changed, 4 insertions(+), 4 deletions(-) 13 13 - 14 14 - diff --git a/crc32.c b/crc32.c 15 15 - index a1bdce5c2..451887bc7 100644 16 16 - --- a/crc32.c 17 17 - +++ b/crc32.c 18 18 - @@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) 19 19 - #endif /* DYNAMIC_CRC_TABLE */ 20 20 - 21 21 - /* Pre-condition the CRC */ 22 22 - - crc ^= 0xffffffff; 23 23 - + crc = (~crc) & 0xffffffff; 24 24 - 25 25 - /* Compute the CRC up to a word boundary. */ 26 26 - while (len && ((z_size_t)buf & 7) != 0) { 27 27 - @@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) 28 28 - #endif /* DYNAMIC_CRC_TABLE */ 29 29 - 30 30 - /* Pre-condition the CRC */ 31 31 - - crc ^= 0xffffffff; 32 32 - + crc = (~crc) & 0xffffffff; 33 33 - 34 34 - #ifdef W 35 35 - 36 36 - @@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) 37 37 - #ifdef DYNAMIC_CRC_TABLE 38 38 - once(&made, make_crc_table); 39 39 - #endif /* DYNAMIC_CRC_TABLE */ 40 40 - - return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; 41 41 - + return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); 42 42 - } 43 43 - 44 44 - /* ========================================================================= */ 45 45 - @@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) 46 46 - uLong crc2; 47 47 - uLong op; 48 48 - { 49 49 - - return multmodp(op, crc1) ^ crc2; 50 50 - + return multmodp(op, crc1) ^ (crc2 & 0xffffffff); 51 51 - }

+2 -13

pkgs/development/libraries/zlib/default.nix

reviewed

··· 23 23 24 24 stdenv.mkDerivation (rec { 25 25 pname = "zlib"; 26 26 - version = "1.2.12"; 26 26 + version = "1.2.13"; 27 27 28 28 src = fetchurl { 29 29 urls = 30 30 [ "https://www.zlib.net/fossils/zlib-${version}.tar.gz" # stable archive path 31 31 "mirror://sourceforge/libpng/zlib/${version}/zlib-${version}.tar.gz" 32 32 ]; 33 33 - sha256 = "91844808532e5ce316b3c010929493c0244f3d37593afd6de04f71821d5136d9"; 33 33 + hash = "sha256-s6JN6XqP28g1uYMxaVAQMLiXcDG8tUs7OsE3QPhGqzA="; 34 34 }; 35 35 36 36 postPatch = lib.optionalString stdenv.hostPlatform.isDarwin '' ··· 39 39 --replace 'AR="libtool"' 'AR="${stdenv.cc.targetPrefix}ar"' \ 40 40 --replace 'ARFLAGS="-o"' 'ARFLAGS="-r"' 41 41 ''; 42 42 - 43 43 - patches = [ 44 44 - ./fix-configure-issue-cross.patch 45 45 - # Starting zlib 1.2.12, zlib is stricter to incorrect CRC inputs 46 46 - # with bits set above the low 32. 47 47 - # see https://github.com/madler/zlib/issues/618 48 48 - # TODO: remove the patch if upstream releases https://github.com/madler/zlib/commit/ec3df00224d4b396e2ac6586ab5d25f673caa4c2 49 49 - # see https://github.com/NixOS/nixpkgs/issues/170539 for history. 50 50 - ./comprehensive-crc-validation-for-wrong-implementations.patch 51 51 - ./CVE-2022-37434.patch 52 52 - ]; 53 42 54 43 strictDeps = true; 55 44 outputs = [ "out" "dev" ]

-24

pkgs/development/libraries/zlib/fix-configure-issue-cross.patch

reviewed

··· 1 1 - From 05796d3d8d5546cf1b4dfe2cd72ab746afae505d Mon Sep 17 00:00:00 2001 2 2 - From: Mark Adler <madler@alumni.caltech.edu> 3 3 - Date: Mon, 28 Mar 2022 18:34:10 -0700 4 4 - Subject: [PATCH] Fix configure issue that discarded provided CC definition. 5 5 - 6 6 - --- 7 7 - configure | 3 +++ 8 8 - 1 file changed, 3 insertions(+) 9 9 - 10 10 - diff --git a/configure b/configure 11 11 - index 52ff4a04e..3fa3e8618 100755 12 12 - --- a/configure 13 13 - +++ b/configure 14 14 - @@ -174,7 +174,10 @@ if test -z "$CC"; then 15 15 - else 16 16 - cc=${CROSS_PREFIX}cc 17 17 - fi 18 18 - +else 19 19 - + cc=${CC} 20 20 - fi 21 21 - + 22 22 - cflags=${CFLAGS-"-O3"} 23 23 - # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure 24 24 - case "$cc" in