Commit Graph

4 Commits

Author SHA1 Message Date
Petr Štetiar
9d8f620679 tools/zlib: bump to latest stable release 1.2.12 (CVE-2018-25032)
List of changes since previous release from 2018 is quite long:

 * Fix crc32.c to compile local functions only if used.
 * Check for cc masquerading as gcc or clang in configure.
 * Remove destructive aspects of make distclean.
 * Separate out address sanitizing from warnings in configure.
 * Eliminate use of ULL constants.
 * Add fallthrough comments for gcc.
 * Clean up minizip to reduce warnings for testing.
 * Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
 * minizip warning fix if MAXU32 already defined. (gvollant)
 * Replace black/white with allow/block. (theresa-m)
 * Fix indentation in minizip's zip.c.
 * Improve portability of contrib/minizip.
 * Correct typo in blast.c.
 * Change macro name in inflate.c to avoid collision in VxWorks.
 * Clarify gz* function interfaces, referring to parameter names.
 * Fix error in comment on the polynomial representation of a byte.
 * Fix memory leak on error in gzlog.c.
 * Avoid adding empty gzip member after gzflush with Z_FINISH.
 * Explicitly note that the 32-bit check values are 32 bits.
 * Use ARM crc32 instructions if the ARM architecture has them.
 * Add use of the ARMv8 crc32 instructions when requested.
 * Correct comment in crc32.c.
 * Don't bother computing check value after successful inflateSync().
 * Use atomic test and set, if available, for dynamic CRC tables.
 * Speed up software CRC-32 computation by a factor of 1.5 to 3.
 * Add crc32_combine_gen() and crc32_combine_op() for fast combines.
 * Add tables for crc32_combine(), to speed it up by a factor of 200.
 * Fix the zran.c example to work on a multiple-member gzip file.
 * Add gznorm.c example, which normalizes gzip files.
 * Show all the codes for the maximum tables size in enough.c.
 * Clarify that prefix codes are counted in enough.c.
 * Use inline function instead of macro for index in enough.c.
 * Clean up code style in enough.c, update version.
 * Use a macro for the printf format of big_t in enough.c.
 * Use a structure to make globals in enough.c evident.
 * Assure that the number of bits for deflatePrime() is valid.
 * Fix a bug that can crash deflate on some input when using Z_FIXED.
 * Correct the initialization requirements for deflateInit2().
 * Emphasize the need to continue decompressing gzip members.
 * Add legal disclaimer to README.
 * Fix deflateEnd() to not report an error at start of raw deflate.
 * Remove old assembler code in which bugs have manifested.
 * Make the names in functions declarations identical to definitions.
 * Avoid an undefined behavior of memcpy() in _tr_stored_block().
 * Avoid undefined behaviors of memcpy() in gz*printf().
 * Avoid an undefined behavior of memcpy() in gzappend().
 * Avoid the use of ptrdiff_t.
 * Handle case where inflateSync used when header never processed.
 * Don't compute check value for raw inflate if asked to validate.
 * Add address checking in clang to -w option of configure.
 * Return an error if the gzputs string length can't fit in an int.
 * Small speedup to inflate [psumbera].
 * Update use of errno for newer Windows CE versions.
 * Avoid some conversion warnings in gzread.c and gzwrite.c.
 * Have Makefile return non-zero error code on test failure.
 * Avoid a conversion error in gzseek when off_t type too small.
 * Fix CLEAR_HASH macro to be usable as a single statement.
 * Fix bug when window full in deflate_stored().
 * Limit hash table inserts after switch from stored deflate.
 * Permit a deflateParams() parameter change as soon as possible.
 * Cygwin does not have _wopen(), so do not create gzopen_w() there.

Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.

This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.

Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-28 09:27:56 +02:00
Petr Štetiar
b3aa2909a7 zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-24 08:15:24 +01:00
Jo-Philipp Wich
4da832e201 tools: zlib: do not hardcode the install prefix in zlib.pc
Our pkg-config wrapper relies on the ability to redefine the $prefix and
$exec_prefix variables in order to construct proper search paths relative
to the build environment.

Patch the .pc file template to construct libdir, sharedlibdir and includedir
relative to the ${prefix} variable so that it can be overridden as needed.

This also fixes the libxml2/host build issue raised at
https://github.com/openwrt/packages/issues/6073 - it was caused by libxml2's
configure picking up a wrong host search path through zlib.pc, letting it
include the wrong endian.h, causing spurious member redeclaration errors in
system headers.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-05-24 17:07:10 +02:00
Hauke Mehrtens
8dcd941d8b tools/zlib: move zlib build to tools
This allows us to link the other tools against our libz and we do not
need the system zlib any more.

Only the static linked library is copied to the staging directory so we
have a statically linked library on all systems and not only on Linux.
This also adds the new dependencies of the packages which are depending
on zlib.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-04-28 15:28:59 +02:00