diff --git a/0001-fix-cve-CVE-2016-9840.patch b/0001-fix-cve-CVE-2016-9840.patch new file mode 100644 index 0000000000000000000000000000000000000000..87685c2da2484edf5333a91a64bab93c3ed8d10f --- /dev/null +++ b/0001-fix-cve-CVE-2016-9840.patch @@ -0,0 +1,66 @@ +From 22e4e30447f1a781d29cca89cbbf80fbae4c0cb5 Mon Sep 17 00:00:00 2001 +From: zhuhongbo +Date: Tue, 3 Jun 2025 15:33:54 +0800 +Subject: [PATCH] fix cve CVE-2016-9840 + +--- + inftrees.c | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/inftrees.c b/inftrees.c +index d1cdcdc..68cf7c6 100644 +--- a/inftrees.c ++++ b/inftrees.c +@@ -54,7 +54,7 @@ unsigned short FAR *work; + code FAR *next; /* next available space in table */ + const unsigned short FAR *base; /* base value table to use */ + const unsigned short FAR *extra; /* extra bits table to use */ +- int end; /* use base and extra for symbol > end */ ++ unsigned match; /* use base and extra for symbol >= match */ + unsigned short count[MAXBITS+1]; /* number of codes of each length */ + unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ + static const unsigned short lbase[31] = { /* Length codes 257..285 base */ +@@ -181,19 +181,17 @@ unsigned short FAR *work; + switch (type) { + case CODES: + base = extra = work; /* dummy value--not used */ +- end = 19; ++ match = 20; + break; + case LENS: + base = lbase; +- base -= 257; + extra = lext; +- extra -= 257; +- end = 256; ++ match = 257; + break; + default: /* DISTS */ + base = dbase; + extra = dext; +- end = -1; ++ match = 0; + } + + /* initialize state for loop */ +@@ -216,13 +214,13 @@ unsigned short FAR *work; + for (;;) { + /* create table entry */ + here.bits = (unsigned char)(len - drop); +- if ((int)(work[sym]) < end) { ++ if (work[sym] + 1 < match) { + here.op = (unsigned char)0; + here.val = work[sym]; + } +- else if ((int)(work[sym]) > end) { +- here.op = (unsigned char)(extra[work[sym]]); +- here.val = base[work[sym]]; ++ else if (work[sym] >= match) { ++ here.op = (unsigned char)(extra[work[sym] - match]); ++ here.val = base[work[sym] - match]; + } + else { + here.op = (unsigned char)(32 + 64); /* end of block */ +-- +2.39.3 + diff --git a/zlib.spec b/zlib.spec index c215022f60169252aaa90bacf28c45ec6a03346a..2277c29679cb1f1362699456a1415b44a8a5decd 100644 --- a/zlib.spec +++ b/zlib.spec @@ -1,7 +1,7 @@ Summary: The compression and decompression library Name: zlib Version: 1.2.7 -Release: 21%{?dist} +Release: 21%{?dist}.1 # /contrib/dotzlib/ have Boost license License: zlib and Boost Group: System Environment/Libraries @@ -23,7 +23,7 @@ Patch6: zlib-1.2.7-CVE-2018-25032.patch # Patches for CVE-2022-37434 Patch12: zlib-1.2.7-cve-2022-37434.patch Patch13: zlib-1.2.7-cve-2022-37434_2.patch - +Patch14: 0001-fix-cve-CVE-2016-9840.patch BuildRequires: automake, autoconf, libtool @@ -86,6 +86,7 @@ mv ChangeLog.tmp ChangeLog %patch6 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 %build %ifarch ppc64 ppc64le @@ -149,6 +150,9 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.la %{_libdir}/pkgconfig/minizip.pc %changelog +* Tue Jun 03 2025 zhuhongbo - 1.2.7-21.1 +- cve: fix cve CVE-2016-9840 + * Mon Jan 30 2023 Lukas Javorsky - 1.2.7-21 - Fix heap-based buffer over-read or buffer overflow in inflate in inflate.c - Resolves: CVE-2022-37434