diff --git a/CVE-2022-33070.patch b/CVE-2022-33070.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c9dd42943643397760086909554c5a92638ea94 --- /dev/null +++ b/CVE-2022-33070.patch @@ -0,0 +1,73 @@ +diff -Naru "protobuf-c-1.4.0 copy/protobuf-c/protobuf-c.c" protobuf-c-1.4.0/protobuf-c/protobuf-c.c +--- "protobuf-c-1.4.0 copy/protobuf-c/protobuf-c.c" 2022-07-04 11:35:58.920205000 +0800 ++++ protobuf-c-1.4.0/protobuf-c/protobuf-c.c 2022-07-04 11:41:59.158278000 +0800 +@@ -316,9 +316,8 @@ + static inline uint32_t + zigzag32(int32_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint32_t)(v) << 1) ^ (uint32_t)(v >> 31); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint32_t)v << 1) ^ -((uint32_t)v >> 31); + } + + /** +@@ -380,9 +379,8 @@ + static inline uint64_t + zigzag64(int64_t v) + { +- // Note: the right-shift must be arithmetic +- // Note: left shift must be unsigned because of overflow +- return ((uint64_t)(v) << 1) ^ (uint64_t)(v >> 63); ++ // Note: Using unsigned types prevents undefined behavior ++ return ((uint64_t)v << 1) ^ -((uint64_t)v >> 63); + } + + /** +@@ -802,7 +800,8 @@ + } + + /** +- * Pack a signed 32-bit integer and return the number of bytes written. ++ * Pack a signed 32-bit integer and return the number of bytes written, ++ * passed as unsigned to avoid implementation-specific behavior. + * Negative numbers are encoded as two's complement 64-bit integers. + * + * \param value +@@ -813,14 +812,14 @@ + * Number of bytes written to `out`. + */ + static inline size_t +-int32_pack(int32_t value, uint8_t *out) ++int32_pack(uint32_t value, uint8_t *out) + { +- if (value < 0) { ++ if ((int32_t)value < 0) { + out[0] = value | 0x80; + out[1] = (value >> 7) | 0x80; + out[2] = (value >> 14) | 0x80; + out[3] = (value >> 21) | 0x80; +- out[4] = (value >> 28) | 0x80; ++ out[4] = (value >> 28) | 0xf0; + out[5] = out[6] = out[7] = out[8] = 0xff; + out[9] = 0x01; + return 10; +@@ -2425,7 +2424,7 @@ + unzigzag32(uint32_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int32_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int32_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint32_t +@@ -2467,7 +2466,7 @@ + unzigzag64(uint64_t v) + { + // Note: Using unsigned types prevents undefined behavior +- return (int64_t)((v >> 1) ^ (~(v & 1) + 1)); ++ return (int64_t)((v >> 1) ^ -(v & 1)); + } + + static inline uint64_t diff --git a/protobuf-c.spec b/protobuf-c.spec index 15e53006c7c00291a91e8ab53544266f869b114a..12914b03294e95edd6e160e4f8a944eb5240df6b 100644 --- a/protobuf-c.spec +++ b/protobuf-c.spec @@ -1,10 +1,11 @@ Name: protobuf-c Version: 1.4.0 -Release: 2 +Release: 3 Summary: This is protobuf-c, a C implementation of the Google Protocol Buffers data serialization format License: BSD-2-Clause URL: https://github.com/protobuf-c/protobuf-c -Source0: %{url}/archive/refs/tags/v%{version}.tar.gz +Source0: %{url}/archive/refs/tags/v%{version}.tar.gz +Patch0001: CVE-2022-33070.patch BuildRequires: autoconf automake libtool gcc-c++ pkgconfig(protobuf) Provides: %{name}-compiler = %{version}-%{release} Obsoletes: %{name}-compiler < %{version}-%{release} @@ -48,6 +49,9 @@ make check %{_libdir}/{libprotobuf-c.so,pkgconfig/libprotobuf-c.pc} %changelog +* Mon Jul 4 2022 dengyuyu - 1.4.0-3 +- fix CVE-2022-33070 + * Tue May 10 2022 Ge Wang - 1.4.0-2 - License compliance rectification