Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sam James <sam@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-libs/zlib/files/, sys-libs/zlib/
Date: Tue, 16 Aug 2022 00:52:20
Message-Id: 1660611124.05fd542aa1119b54b8ba2bb79817f7016d0cacad.sam@gentoo
1 commit: 05fd542aa1119b54b8ba2bb79817f7016d0cacad
2 Author: Sam James <sam <AT> gentoo <DOT> org>
3 AuthorDate: Tue Aug 16 00:52:04 2022 +0000
4 Commit: Sam James <sam <AT> gentoo <DOT> org>
5 CommitDate: Tue Aug 16 00:52:04 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fd542a
7
8 sys-libs/zlib: patch CVE-2022-37434
9
10 (includes the additional fix which curl exposed too)
11
12 Bug: https://bugs.gentoo.org/863851
13 Signed-off-by: Sam James <sam <AT> gentoo.org>
14
15 .../zlib/files/zlib-1.2.12-CVE-2022-37434.patch | 55 ++++++
16 sys-libs/zlib/zlib-1.2.12-r3.ebuild | 199 +++++++++++++++++++++
17 2 files changed, 254 insertions(+)
18
19 diff --git a/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch b/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch
20 new file mode 100644
21 index 000000000000..1ef3b909e435
22 --- /dev/null
23 +++ b/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch
24 @@ -0,0 +1,55 @@
25 +https://bugs.gentoo.org/863851
26 +https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
27 +https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (see https://github.com/curl/curl/issues/9271)
28 +
29 +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
30 +From: Mark Adler <fork@××××××.net>
31 +Date: Sat, 30 Jul 2022 15:51:11 -0700
32 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with
33 + inflate().
34 +
35 +If the extra field was larger than the space the user provided with
36 +inflateGetHeader(), and if multiple calls of inflate() delivered
37 +the extra header data, then there could be a buffer overflow of the
38 +provided space. This commit assures that provided space is not
39 +exceeded.
40 +--- a/inflate.c
41 ++++ b/inflate.c
42 +@@ -763,9 +763,10 @@ int flush;
43 + copy = state->length;
44 + if (copy > have) copy = have;
45 + if (copy) {
46 ++ len = state->head->extra_len - state->length;
47 + if (state->head != Z_NULL &&
48 +- state->head->extra != Z_NULL) {
49 +- len = state->head->extra_len - state->length;
50 ++ state->head->extra != Z_NULL &&
51 ++ len < state->head->extra_max) {
52 + zmemcpy(state->head->extra + len, next,
53 + len + copy > state->head->extra_max ?
54 + state->head->extra_max - len : copy);
55 +
56 +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
57 +From: Mark Adler <fork@××××××.net>
58 +Date: Mon, 8 Aug 2022 10:50:09 -0700
59 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL
60 + state->head.
61 +
62 +The recent commit to fix a gzip header extra field processing bug
63 +introduced the new bug fixed here.
64 +--- a/inflate.c
65 ++++ b/inflate.c
66 +@@ -763,10 +763,10 @@ int flush;
67 + copy = state->length;
68 + if (copy > have) copy = have;
69 + if (copy) {
70 +- len = state->head->extra_len - state->length;
71 + if (state->head != Z_NULL &&
72 + state->head->extra != Z_NULL &&
73 +- len < state->head->extra_max) {
74 ++ (len = state->head->extra_len - state->length) <
75 ++ state->head->extra_max) {
76 + zmemcpy(state->head->extra + len, next,
77 + len + copy > state->head->extra_max ?
78 + state->head->extra_max - len : copy);
79 +
80
81 diff --git a/sys-libs/zlib/zlib-1.2.12-r3.ebuild b/sys-libs/zlib/zlib-1.2.12-r3.ebuild
82 new file mode 100644
83 index 000000000000..1117652b5367
84 --- /dev/null
85 +++ b/sys-libs/zlib/zlib-1.2.12-r3.ebuild
86 @@ -0,0 +1,199 @@
87 +# Copyright 1999-2022 Gentoo Authors
88 +# Distributed under the terms of the GNU General Public License v2
89 +
90 +EAPI=8
91 +
92 +# Worth keeping an eye on 'develop' branch upstream for possible backports.
93 +AUTOTOOLS_AUTO_DEPEND="no"
94 +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc
95 +inherit autotools multilib-minimal usr-ldscript verify-sig
96 +
97 +CYGWINPATCHES=(
98 + "https://github.com/cygwinports/zlib/raw/22a3462cae33a82ad966ea0a7d6cbe8fc1368fec/1.2.11-gzopen_w.patch -> ${PN}-1.2.11-cygwin-gzopen_w.patch"
99 + "https://github.com/cygwinports/zlib/raw/22a3462cae33a82ad966ea0a7d6cbe8fc1368fec/1.2.7-minizip-cygwin.patch -> ${PN}-1.2.7-cygwin-minizip.patch"
100 +)
101 +
102 +DESCRIPTION="Standard (de)compression library"
103 +HOMEPAGE="https://zlib.net/"
104 +SRC_URI="https://zlib.net/${P}.tar.gz
105 + https://zlib.net/fossils/${P}.tar.gz
106 + https://www.gzip.org/zlib/${P}.tar.gz
107 + https://www.zlib.net/current/beta/${P}.tar.gz
108 + verify-sig? ( https://zlib.net/${P}.tar.gz.asc )
109 + elibc_Cygwin? ( ${CYGWINPATCHES[*]} )"
110 +
111 +LICENSE="ZLIB"
112 +SLOT="0/1" # subslot = SONAME
113 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
114 +IUSE="minizip static-libs"
115 +
116 +RDEPEND="!sys-libs/zlib-ng[compat]"
117 +DEPEND="${RDEPEND}"
118 +BDEPEND="minizip? ( ${AUTOTOOLS_DEPEND} )
119 + verify-sig? ( sec-keys/openpgp-keys-madler )"
120 +
121 +PATCHES=(
122 + # Don't install unexpected & unused crypt.h header (which would clash with other pkgs)
123 + # Pending upstream. bug #658536
124 + "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch
125 +
126 + # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628
127 + "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch
128 +
129 + # Respect LDFLAGS during configure tests. Pending upstream
130 + "${FILESDIR}"/${PN}-1.2.12-use-LDFLAGS-in-configure.patch
131 +
132 + # Fix broken CC logic
133 + "${FILESDIR}"/${P}-fix-CC-logic-in-configure.patch
134 +
135 + # Backport for Java (and others), bug #836370
136 + "${FILESDIR}"/${P}-CRC-buggy-input.patch
137 +
138 + # bug #863851
139 + "${FILESDIR}"/${P}-CVE-2022-37434.patch
140 +)
141 +
142 +src_prepare() {
143 + default
144 +
145 + if use elibc_Cygwin ; then
146 + local p
147 + for p in "${CYGWINPATCHES[@]}" ; do
148 + # Strip out the "... -> " from the array
149 + eapply -p2 "${DISTDIR}/${p#*> }"
150 + done
151 + fi
152 +
153 + if use minizip ; then
154 + cd contrib/minizip || die
155 + eautoreconf
156 + fi
157 +
158 + case ${CHOST} in
159 + *-cygwin*)
160 + # Do not use _wopen, it's a mingw-only symbol
161 + sed -i -e '/define WIDECHAR/d' "${S}"/gzguts.h || die
162 +
163 + # zlib1.dll is the mingw name, need cygz.dll
164 + # cygz.dll is loaded by toolchain, put into subdir
165 + sed -i -e 's|zlib1.dll|win32/cygz.dll|' win32/Makefile.gcc || die
166 +
167 + ;;
168 + esac
169 +
170 + case ${CHOST} in
171 + *-mingw*|mingw*|*-cygwin*)
172 + # Uses preconfigured Makefile rather than configure script
173 + multilib_copy_sources
174 +
175 + ;;
176 + esac
177 +}
178 +
179 +echoit() { echo "$@"; "$@"; }
180 +
181 +multilib_src_configure() {
182 + case ${CHOST} in
183 + *-mingw*|mingw*|*-cygwin*)
184 + ;;
185 +
186 + *)
187 + # bug #347167
188 + local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3)
189 +
190 + local myconf=(
191 + --shared
192 + --prefix="${EPREFIX}/usr"
193 + --libdir="${EPREFIX}/usr/$(get_libdir)"
194 + ${uname:+--uname=${uname}}
195 + )
196 +
197 + # Not an autoconf script, so can't use econf
198 + echoit "${S}"/configure "${myconf[@]}" || die
199 +
200 + ;;
201 + esac
202 +
203 + if use minizip ; then
204 + local minizipdir="contrib/minizip"
205 + mkdir -p "${BUILD_DIR}/${minizipdir}" || die
206 +
207 + cd ${minizipdir} || die
208 + ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static)
209 + fi
210 +}
211 +
212 +multilib_src_compile() {
213 + case ${CHOST} in
214 + *-mingw*|mingw*|*-cygwin*)
215 + emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}-
216 + sed \
217 + -e 's|@prefix@|'"${EPREFIX}"'/usr|g' \
218 + -e 's|@exec_prefix@|${prefix}|g' \
219 + -e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \
220 + -e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \
221 + -e 's|@includedir@|${prefix}/include|g' \
222 + -e 's|@VERSION@|'${PV}'|g' \
223 + zlib.pc.in > zlib.pc || die
224 + ;;
225 +
226 + *)
227 + emake
228 +
229 + ;;
230 + esac
231 +
232 + use minizip && emake -C contrib/minizip
233 +}
234 +
235 +sed_macros() {
236 + # Clean up namespace a little, bug #383179
237 + # We do it here so we only have to tweak 2 files
238 + sed -i -r 's:\<(O[FN])\>:_Z_\1:g' "$@" || die
239 +}
240 +
241 +multilib_src_install() {
242 + case ${CHOST} in
243 + *-mingw*|mingw*|*-cygwin*)
244 + emake -f win32/Makefile.gcc install \
245 + BINARY_PATH="${ED}/usr/bin" \
246 + LIBRARY_PATH="${ED}/usr/$(get_libdir)" \
247 + INCLUDE_PATH="${ED}/usr/include" \
248 + SHARED_MODE=1
249 +
250 + # Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136
251 + insinto /usr/$(get_libdir)/pkgconfig
252 + doins zlib.pc
253 +
254 + ;;
255 +
256 + *)
257 + emake install DESTDIR="${D}" LDCONFIG=:
258 + gen_usr_ldscript -a z
259 +
260 + ;;
261 + esac
262 +
263 + sed_macros "${ED}"/usr/include/*.h
264 +
265 + if use minizip ; then
266 + emake -C contrib/minizip install DESTDIR="${D}"
267 + sed_macros "${ED}"/usr/include/minizip/*.h
268 + fi
269 +
270 + if use minizip; then
271 + # This might not exist if slibtool is used.
272 + # bug #816756
273 + rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die
274 + fi
275 +
276 + if ! use static-libs ; then
277 + # bug #419645
278 + rm "${ED}"/usr/$(get_libdir)/libz.a || die
279 + fi
280 +}
281 +
282 +multilib_src_install_all() {
283 + dodoc FAQ README ChangeLog doc/*.txt
284 + use minizip && dodoc contrib/minizip/*.txt
285 +}
Report Message
Find on MARC Find on Google Groups