[gcc-6] 320/401: * Apply patches for zlib security issues CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843.
Ximin Luo
infinity0 at debian.org
Wed Apr 5 15:50:24 UTC 2017
This is an automated email from the git hooks/post-receive script.
infinity0 pushed a commit to branch pu/reproducible_builds
in repository gcc-6.
commit 7b391a4f340eb69d829f728d194d29ec453e4ed8
Author: doko <doko at 6ca36cf4-e1d1-0310-8c6f-e303bb2178ca>
Date: Thu Dec 15 19:46:30 2016 +0000
* Apply patches for zlib security issues CVE-2016-9840, CVE-2016-9841,
CVE-2016-9842, CVE-2016-9843.
git-svn-id: svn://anonscm.debian.org/gcccvs/branches/sid/gcc-6@9188 6ca36cf4-e1d1-0310-8c6f-e303bb2178ca
---
debian/changelog | 4 +-
debian/patches/CVE-2016-9840.diff | 69 ++++++++++++
debian/patches/CVE-2016-9841.diff | 222 ++++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2016-9842.diff | 27 +++++
debian/patches/CVE-2016-9843.diff | 47 ++++++++
debian/rules.patch | 5 +-
6 files changed, 372 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 3ef3f32..a0cefbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-gcc-6 (6.2.1-7) UNRELEASED; urgency=medium
+gcc-6 (6.2.1-6.1) UNRELEASED; urgency=medium
* Update to SVN 20161215 (r243686, 6.2.1) from the gcc-6-branch.
- Fix PR libstdc++/78465, PR c++/78761, PR c++/78252, PR target/59874,
@@ -6,6 +6,8 @@ gcc-6 (6.2.1-7) UNRELEASED; urgency=medium
PR rtl-optimization/71496, PR c++/78701.
* Drop build dependency on g++-5.
* Fix PR c++/78774, proposed for the gcc-6-branch.
+ * Apply patches for zlib security issues CVE-2016-9840, CVE-2016-9841,
+ CVE-2016-9842, CVE-2016-9843.
-- Matthias Klose <doko at debian.org> Tue, 13 Dec 2016 08:37:46 +0100
diff --git a/debian/patches/CVE-2016-9840.diff b/debian/patches/CVE-2016-9840.diff
new file mode 100644
index 0000000..c29fba0
--- /dev/null
+++ b/debian/patches/CVE-2016-9840.diff
@@ -0,0 +1,69 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date: Wed Sep 21 23:35:50 2016 -0700
+
+ Remove offset pointer optimization in inftrees.c.
+
+ inftrees.c was subtracting an offset from a pointer to an array,
+ in order to provide a pointer that allowed indexing starting at
+ the offset. This is not compliant with the C standard, for which
+ the behavior of a pointer decremented before its allocated memory
+ is undefined. Per the recommendation of a security audit of the
+ zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this tiny optimization was removed, in order
+ to avoid the possibility of undefined behavior.
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/src/zlib/inftrees.c
++++ b/src/zlib/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+ code FAR *next; /* next available space in table */
+ const unsigned short FAR *base; /* base value table to use */
+ const unsigned short FAR *extra; /* extra bits table to use */
+- int end; /* use base and extra for symbol > end */
++ unsigned match; /* use base and extra for symbol >= match */
+ unsigned short count[MAXBITS+1]; /* number of codes of each length */
+ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
+ static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+ switch (type) {
+ case CODES:
+ base = extra = work; /* dummy value--not used */
+- end = 19;
++ match = 20;
+ break;
+ case LENS:
+ base = lbase;
+- base -= 257;
+ extra = lext;
+- extra -= 257;
+- end = 256;
++ match = 257;
+ break;
+ default: /* DISTS */
+ base = dbase;
+ extra = dext;
+- end = -1;
++ match = 0;
+ }
+
+ /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+ for (;;) {
+ /* create table entry */
+ here.bits = (unsigned char)(len - drop);
+- if ((int)(work[sym]) < end) {
++ if (work[sym] + 1 < match) {
+ here.op = (unsigned char)0;
+ here.val = work[sym];
+ }
+- else if ((int)(work[sym]) > end) {
+- here.op = (unsigned char)(extra[work[sym]]);
+- here.val = base[work[sym]];
++ else if (work[sym] >= match) {
++ here.op = (unsigned char)(extra[work[sym] - match]);
++ here.val = base[work[sym] - match];
+ }
+ else {
+ here.op = (unsigned char)(32 + 64); /* end of block */
diff --git a/debian/patches/CVE-2016-9841.diff b/debian/patches/CVE-2016-9841.diff
new file mode 100644
index 0000000..6a46886
--- /dev/null
+++ b/debian/patches/CVE-2016-9841.diff
@@ -0,0 +1,222 @@
+commit 9aaec95e82117c1cb0f9624264c3618fc380cecb
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date: Wed Sep 21 22:25:21 2016 -0700
+
+ Use post-increment only in inffast.c.
+
+ An old inffast.c optimization turns out to not be optimal anymore
+ with modern compilers, and furthermore was not compliant with the
+ C standard, for which decrementing a pointer before its allocated
+ memory is undefined. Per the recommendation of a security audit of
+ the zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this "optimization" was removed, in order to
+ avoid the possibility of undefined behavior.
+
+diff --git a/inffast.c b/inffast.c
+index bda59ce..f0d163d 100644
+--- a/src/zlib/inffast.c
++++ b/src/zlib/inffast.c
+@@ -10,25 +10,6 @@
+
+ #ifndef ASMINF
+
+-/* Allow machine dependent optimization for post-increment or pre-increment.
+- Based on testing to date,
+- Pre-increment preferred for:
+- - PowerPC G3 (Adler)
+- - MIPS R5000 (Randers-Pehrson)
+- Post-increment preferred for:
+- - none
+- No measurable difference:
+- - Pentium III (Anderson)
+- - M68060 (Nikl)
+- */
+-#ifdef POSTINC
+-# define OFF 0
+-# define PUP(a) *(a)++
+-#else
+-# define OFF 1
+-# define PUP(a) *++(a)
+-#endif
+-
+ /*
+ Decode literal, length, and distance codes and write out the resulting
+ literal and match bytes until either not enough input or output is
+@@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+
+ /* copy state to local variables */
+ state = (struct inflate_state FAR *)strm->state;
+- in = strm->next_in - OFF;
++ in = strm->next_in;
+ last = in + (strm->avail_in - 5);
+- out = strm->next_out - OFF;
++ out = strm->next_out;
+ beg = out - (start - strm->avail_out);
+ end = out + (strm->avail_out - 257);
+ #ifdef INFLATE_STRICT
+@@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ input data or output space */
+ do {
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = lcode[hold & lmask];
+@@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
+ "inflate: literal '%c'\n" :
+ "inflate: literal 0x%02x\n", here.val));
+- PUP(out) = (unsigned char)(here.val);
++ *out++ = (unsigned char)(here.val);
+ }
+ else if (op & 16) { /* length base */
+ len = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (op) {
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ len += (unsigned)hold & ((1U << op) - 1);
+@@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ }
+ Tracevv((stderr, "inflate: length %u\n", len));
+ if (bits < 15) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ here = dcode[hold & dmask];
+@@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ dist = (unsigned)(here.val);
+ op &= 15; /* number of extra bits */
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ if (bits < op) {
+- hold += (unsigned long)(PUP(in)) << bits;
++ hold += (unsigned long)(*in++) << bits;
+ bits += 8;
+ }
+ }
+@@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+ if (len <= op - whave) {
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--len);
+ continue;
+ }
+ len -= op - whave;
+ do {
+- PUP(out) = 0;
++ *out++ = 0;
+ } while (--op > whave);
+ if (op == 0) {
+ from = out - dist;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--len);
+ continue;
+ }
+ #endif
+ }
+- from = window - OFF;
++ from = window;
+ if (wnext == 0) { /* very common case */
+ from += wsize - op;
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from end of window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+- from = window - OFF;
++ from = window;
+ if (wnext < len) { /* some from start of window */
+ op = wnext;
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+@@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ if (op < len) { /* some from window */
+ len -= op;
+ do {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ } while (--op);
+ from = out - dist; /* rest from output */
+ }
+ }
+ while (len > 2) {
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ }
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ else {
+ from = out - dist; /* copy direct from output */
+ do { /* minimum length is three */
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
+- PUP(out) = PUP(from);
++ *out++ = *from++;
++ *out++ = *from++;
++ *out++ = *from++;
+ len -= 3;
+ } while (len > 2);
+ if (len) {
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ if (len > 1)
+- PUP(out) = PUP(from);
++ *out++ = *from++;
+ }
+ }
+ }
+@@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
+ hold &= (1U << bits) - 1;
+
+ /* update state and return */
+- strm->next_in = in + OFF;
+- strm->next_out = out + OFF;
++ strm->next_in = in;
++ strm->next_out = out;
+ strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
+ strm->avail_out = (unsigned)(out < end ?
+ 257 + (end - out) : 257 - (out - end));
diff --git a/debian/patches/CVE-2016-9842.diff b/debian/patches/CVE-2016-9842.diff
new file mode 100644
index 0000000..6469cbf
--- /dev/null
+++ b/debian/patches/CVE-2016-9842.diff
@@ -0,0 +1,27 @@
+commit e54e1299404101a5a9d0cf5e45512b543967f958
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date: Sat Sep 5 17:45:55 2015 -0700
+
+ Avoid shifts of negative values inflateMark().
+
+ The C standard says that bit shifts of negative integers is
+ undefined. This casts to unsigned values to assure a known
+ result.
+
+diff --git a/inflate.c b/inflate.c
+index 2889e3a..a718416 100644
+--- a/src/zlib/inflate.c
++++ b/src/zlib/inflate.c
+@@ -1506,9 +1506,10 @@ z_streamp strm;
+ {
+ struct inflate_state FAR *state;
+
+- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
++ if (strm == Z_NULL || strm->state == Z_NULL)
++ return (long)(((unsigned long)0 - 1) << 16);
+ state = (struct inflate_state FAR *)strm->state;
+- return ((long)(state->back) << 16) +
++ return (long)(((unsigned long)((long)state->back)) << 16) +
+ (state->mode == COPY ? state->length :
+ (state->mode == MATCH ? state->was - state->length : 0));
+ }
diff --git a/debian/patches/CVE-2016-9843.diff b/debian/patches/CVE-2016-9843.diff
new file mode 100644
index 0000000..ac1da9b
--- /dev/null
+++ b/debian/patches/CVE-2016-9843.diff
@@ -0,0 +1,47 @@
+commit d1d577490c15a0c6862473d7576352a9f18ef811
+Author: Mark Adler <madler at alumni.caltech.edu>
+Date: Wed Sep 28 20:20:25 2016 -0700
+
+ Avoid pre-decrement of pointer in big-endian CRC calculation.
+
+ There was a small optimization for PowerPCs to pre-increment a
+ pointer when accessing a word, instead of post-incrementing. This
+ required prefacing the loop with a decrement of the pointer,
+ possibly pointing before the object passed. This is not compliant
+ with the C standard, for which decrementing a pointer before its
+ allocated memory is undefined. When tested on a modern PowerPC
+ with a modern compiler, the optimization no longer has any effect.
+ Due to all that, and per the recommendation of a security audit of
+ the zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this "optimization" was removed, in order to
+ avoid the possibility of undefined behavior.
+
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/src/zlib/crc32.c
++++ b/src/zlib/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+ c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+ crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+ }
+
+ buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+- buf4--;
+ while (len >= 32) {
+ DOBIG32;
+ len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+ DOBIG4;
+ len -= 4;
+ }
+- buf4++;
+ buf = (const unsigned char FAR *)buf4;
+
+ if (len) do {
diff --git a/debian/rules.patch b/debian/rules.patch
index c902fef..746bd59 100644
--- a/debian/rules.patch
+++ b/debian/rules.patch
@@ -105,7 +105,10 @@ debian_patches += \
compress-debug-check \
pr77267 \
pr78774 \
-
+ CVE-2016-9840 \
+ CVE-2016-9841 \
+ CVE-2016-9842 \
+ CVE-2016-9843 \
ifeq ($(libstdcxx_abi),new)
debian_patches += libstdc++-functexcept
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/gcc-6.git
More information about the Reproducible-commits
mailing list