From dc303621efb5cfae93f32160124be46429b56e21 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Tue, 16 May 2023 16:22:41 +0800
Subject: [PATCH] Fix CVE-2022-37434

---
 CVE-2022-37434-1.patch | 38 ++++++++++++++++++++++++++++++++++++++
 CVE-2022-37434-2.patch | 35 +++++++++++++++++++++++++++++++++++
 mysql.spec             |  9 ++++++++-
 3 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-37434-1.patch
 create mode 100644 CVE-2022-37434-2.patch

diff --git a/CVE-2022-37434-1.patch b/CVE-2022-37434-1.patch
new file mode 100644
index 0000000..ee3aff5
--- /dev/null
+++ b/CVE-2022-37434-1.patch
@@ -0,0 +1,38 @@
+From a16f5c7b7c5353cda8c8235d9a6765c7fe3c1231 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Tue, 16 May 2023 15:15:10 +0800
+Subject: [PATCH 1/1] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+
+Origin:
+https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
+---
+ extra/zlib/inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/extra/zlib/inflate.c b/extra/zlib/inflate.c
+index 7be8c636..7a728974 100644
+--- a/extra/zlib/inflate.c
++++ b/extra/zlib/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
++                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.30.0
+
diff --git a/CVE-2022-37434-2.patch b/CVE-2022-37434-2.patch
new file mode 100644
index 0000000..b9453da
--- /dev/null
+++ b/CVE-2022-37434-2.patch
@@ -0,0 +1,35 @@
+From 49a8fd61c4f8db9b8e9a50e70114cedc5842178e Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Tue, 16 May 2023 15:17:40 +0800
+Subject: [PATCH 1/1] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+
+Origin:
+https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
+---
+ extra/zlib/inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extra/zlib/inflate.c b/extra/zlib/inflate.c
+index 7a728974..2a3c4fe9 100644
+--- a/extra/zlib/inflate.c
++++ b/extra/zlib/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+-                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+                         state->head->extra != Z_NULL &&
+-                        len < state->head->extra_max) {
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.30.0
+
diff --git a/mysql.spec b/mysql.spec
index 44dfcb7..e029005 100644
--- a/mysql.spec
+++ b/mysql.spec
@@ -7,7 +7,7 @@
 %global boost_bundled_version 1.73.0
 Name:              mysql
 Version:           8.0.28
-Release:           1
+Release:           2
 License:           GPLv2 with exceptions and LGPLv2 and BSD
 Summary:           The world's most popular open source database
 URL:               http://www.mysql.com/
@@ -23,6 +23,8 @@ Patch10:boost-1.58.0-pool.patch
 Patch11:boost-1.57.0-mpl-print.patch
 Patch12:%{pkgnamepatch}-fix-includes-robin-hood.patch
 Patch13:disable-moutline-atomics-for-aarch64.patch
+Patch14:           CVE-2022-37434-1.patch
+Patch15:           CVE-2022-37434-2.patch
 
 BuildRequires:     cmake openssl-devel ncurses-devel libtirpc-devel rpcgen libcurl-devel make
  
@@ -53,6 +55,8 @@ further info.
 %patch8 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
+%patch15 -p1
 pushd boost/boost_$(echo %{boost_bundled_version}| tr . _)
 %patch10 -p0
 %patch11 -p1
@@ -113,6 +117,9 @@ fi
 %exclude /usr/lib/debug
 
 %changelog
+* Tue May 16 2023 yaoxin <yao_xin001@hoperun.com> - 8.0.28-2
+- Fix CVE-2022-37434
+
 * Tue Jan 25 yaoxin <yaoxin30@huawei.com> - 8.0.28-1
 - Upgrade mysql to 8.0.28 to fix cves.
 
-- 
Gitee