mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 13:29:49 +00:00
Code Issues Projects Releases Wiki Activity

zlib: CVE-2022-37434 a heap-based buffer over-read

Browse Source 
Source: https://github.com/madler/zlib
MR: 120531
Type: Security Fix
Disposition: Backport from https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
ChangeID: 364c17d74213c64fe40b9b37ee78aa172ff93acf
Description:
          CVE-2022-37434 zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field.

(From OE-Core rev: 10ed7cf347d9e73b29e4a3f6ef77e0a4b08e350b)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Hitendra Prajapati
2022-08-17 14:35:05 +05:30
committed by Richard Purdie
parent ae4acc9f81
commit 98dd6e4cac
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
+44
View File
@@ -0,0 +1,44 @@
From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Wed, 17 Aug 2022 10:15:57 +0530
Subject: [PATCH] CVE-2022-37434
Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d]
CVE: CVE-2022-37434
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
Fix extra field processing bug that dereferences NULL state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/inflate.c b/inflate.c
index ac333e8..cd01857 100644
--- a/inflate.c
+++ b/inflate.c
@@ -759,8 +759,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
--
2.25.1
meta/recipes-core/zlib/zlib_1.2.11.bb
+1
View File
@@ -10,6 +10,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://ldflags-tests.patch \
file://CVE-2018-25032.patch \
file://run-ptest \
file://CVE-2022-37434.patch \
"
UPSTREAM_CHECK_URI = "http://zlib.net/"