zchunk: patch CVE-2023-46228

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46228 Pick the patch that's mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-06-13 17:39:57 +00:00 · 2025-10-13 21:09:20 +02:00
parent ed6bb390fe
commit f4adc003e4
2 changed files with 108 additions and 1 deletions
@@ -0,0 +1,105 @@
+From de832945bb88372d6007770328e9d2534aa9bbc1 Mon Sep 17 00:00:00 2001
+From: Jonathan Dieter <jdieter@gmail.com>
+Date: Thu, 5 Oct 2023 19:52:18 +0100
+Subject: [PATCH] Handle overflow errors in malformed zchunk files
+
+Thanks to Agostino Sarubbo of Gentoo for the heads up!
+
+CVE: CVE-2023-46228
+Upstream-Status: Backport [https://github.com/zchunk/zchunk/commit/08aec2b4dfd7f709b6e3d511411ffcc83ed4efbe]
+
+Signed-off-by: Jonathan Dieter <jdieter@gmail.com>
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/lib/comp/comp.c      |  6 ++++++
+ src/lib/comp/zstd/zstd.c |  6 ++++++
+ src/lib/dl/multipart.c   |  6 ++++++
+ src/lib/header.c         | 13 ++++++++++++-
+ 4 files changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/comp/comp.c b/src/lib/comp/comp.c
+index 4786e41..38dea9d 100644
+--- a/src/lib/comp/comp.c
+++ b/src/lib/comp/comp.c
+@@ -115,6 +115,12 @@ static bool comp_add_to_data(zckCtx *zck, zckComp *comp, const char *src,
+     ALLOCD_BOOL(zck, comp);
+     ALLOCD_BOOL(zck, src);
+ 
+    if((comp->data_size > comp->data_size + src_size) ||
+       (src_size > comp->data_size + src_size)) {
+        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading data");
+        return false;
+    }
+
+     comp->data = zrealloc(comp->data, comp->data_size + src_size);
+     if (!comp->data) {
+         zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__);
+diff --git a/src/lib/comp/zstd/zstd.c b/src/lib/comp/zstd/zstd.c
+index a12ddfe..5b68b6a 100644
+--- a/src/lib/comp/zstd/zstd.c
+++ b/src/lib/comp/zstd/zstd.c
+@@ -117,6 +117,12 @@ static ssize_t compress(zckCtx *zck, zckComp *comp, const char *src,
+     ALLOCD_INT(zck, dst_size);
+     ALLOCD_INT(zck, comp);
+ 
+    if((comp->dc_data_size > comp->dc_data_size + src_size) ||
+       (src_size > comp->dc_data_size + src_size)) {
+        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading decompressed data");
+        return false;
+    }
+
+     comp->dc_data = zrealloc(comp->dc_data, comp->dc_data_size + src_size);
+     if (!comp->dc_data) {
+         zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__);
+diff --git a/src/lib/dl/multipart.c b/src/lib/dl/multipart.c
+index d0cbd5a..f4855de 100644
+--- a/src/lib/dl/multipart.c
+++ b/src/lib/dl/multipart.c
+@@ -119,6 +119,12 @@ size_t multipart_extract(zckDL *dl, char *b, size_t l) {
+ 
+     /* Add new data to stored buffer */
+     if(mp->buffer) {
+        if((mp->buffer_len > mp->buffer_len + l) ||
+           (l > mp->buffer_len + l)) {
+            zck_log(ZCK_LOG_ERROR, "Integer overflow when extracting multipart data");
+            return 0;
+        }
+
+         buf = zrealloc(mp->buffer, mp->buffer_len + l);
+         if (!buf) {
+             zck_log(ZCK_LOG_ERROR, "OOM in %s", __func__);
+diff --git a/src/lib/header.c b/src/lib/header.c
+index 16ea3e8..f46ed10 100644
+--- a/src/lib/header.c
+++ b/src/lib/header.c
+@@ -74,11 +74,16 @@ static bool read_optional_element(zckCtx *zck, size_t id, size_t data_size,
+ }
+ 
+ static bool read_header_from_file(zckCtx *zck) {
+-    /* Verify that lead_size and header_length have been set */
+    /* Verify that lead_size and header_length have been set and are legit */
+     if(zck->lead_size == 0 || zck->header_length == 0) {
+         set_error(zck, "Lead and header sizes are both 0.  Have you run zck_read_lead() yet?");
+         return false;
+     }
+    if((zck->lead_size > zck->lead_size + zck->header_length) ||
+       (zck->header_length > zck->lead_size + zck->header_length)) {
+        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading header");
+        return false;
+    }
+ 
+     /* Allocate header and store any extra bytes at beginning of header */
+     zck->header = zrealloc(zck->header, zck->lead_size + zck->header_length);
+@@ -525,6 +530,12 @@ static bool read_lead(zckCtx *zck) {
+     /* Set header digest location */
+     zck->hdr_digest_loc = length;
+ 
+    /* Verify that we're not going to overflow */
+    if(length > length + zck->hash_type.digest_size) {
+        zck_log(ZCK_LOG_ERROR, "Integer overflow when reading lead");
+        return false;
+    }
+
+     /* Read header digest */
+     zck_log(ZCK_LOG_DEBUG, "Reading header digest");
+     header = zrealloc(header, length + zck->hash_type.digest_size);
@@ -4,7 +4,9 @@ AUTHOR = "Jonathan Dieter"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=daf6e68539f564601a5a5869c31e5242"

-SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=main"
+SRC_URI = "git://github.com/zchunk/zchunk.git;protocol=https;branch=main \
+           file://0001-Handle-overflow-errors-in-malformed-zchunk-files.patch \
+           "

 SRCREV = "dd6a30a1e4e8b738b0cafc682f3c00e7706134e5"
 S = "${WORKDIR}/git"