diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch new file mode 100644 index 0000000000..1ef3b909e4 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch @@ -0,0 +1,55 @@ +https://bugs.gentoo.org/863851 +https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 +https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (see https://github.com/curl/curl/issues/9271) + +From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Sat, 30 Jul 2022 15:51:11 -0700 +Subject: [PATCH] Fix a bug when getting a gzip header extra field with + inflate(). + +If the extra field was larger than the space the user provided with +inflateGetHeader(), and if multiple calls of inflate() delivered +the extra header data, then there could be a buffer overflow of the +provided space. This commit assures that provided space is not +exceeded. +--- a/inflate.c ++++ b/inflate.c +@@ -763,9 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { ++ len = state->head->extra_len - state->length; + if (state->head != Z_NULL && +- state->head->extra != Z_NULL) { +- len = state->head->extra_len - state->length; ++ state->head->extra != Z_NULL && ++ len < state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); + +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); + diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r4.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r4.ebuild index bc2fe9834e..f81dba33f7 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r4.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 @@ -14,6 +14,7 @@ CYGWINPATCHES=( DESCRIPTION="Standard (de)compression library" HOMEPAGE="https://zlib.net/" SRC_URI="https://zlib.net/${P}.tar.gz + https://zlib.net/fossils/${P}.tar.gz http://www.gzip.org/zlib/${P}.tar.gz http://www.zlib.net/current/beta/${P}.tar.gz elibc_Cygwin? ( ${CYGWINPATCHES[*]} )" diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r5.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r5.ebuild index 5173a430e6..c24cdc4a35 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r5.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.11-r5.ebuild @@ -14,6 +14,7 @@ CYGWINPATCHES=( DESCRIPTION="Standard (de)compression library" HOMEPAGE="https://zlib.net/" SRC_URI="https://zlib.net/${P}.tar.gz + https://zlib.net/fossils/${P}.tar.gz http://www.gzip.org/zlib/${P}.tar.gz http://www.zlib.net/current/beta/${P}.tar.gz elibc_Cygwin? ( ${CYGWINPATCHES[*]} )" diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r2.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r2.ebuild index ca6e222f45..5741a146d6 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r2.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r2.ebuild @@ -16,6 +16,7 @@ CYGWINPATCHES=( DESCRIPTION="Standard (de)compression library" HOMEPAGE="https://zlib.net/" SRC_URI="https://zlib.net/${P}.tar.gz + https://zlib.net/fossils/${P}.tar.gz https://www.gzip.org/zlib/${P}.tar.gz https://www.zlib.net/current/beta/${P}.tar.gz verify-sig? ( https://zlib.net/${P}.tar.gz.asc ) @@ -23,7 +24,7 @@ SRC_URI="https://zlib.net/${P}.tar.gz LICENSE="ZLIB" SLOT="0/1" # subslot = SONAME -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" IUSE="minizip static-libs" RDEPEND="!sys-libs/zlib-ng[compat]" diff --git a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r3.ebuild similarity index 83% rename from sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r3.ebuild index 267b24c0d1..1117652b53 100644 --- a/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-libs/zlib/zlib-1.2.12-r3.ebuild @@ -1,8 +1,9 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 +# Worth keeping an eye on 'develop' branch upstream for possible backports. AUTOTOOLS_AUTO_DEPEND="no" VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc inherit autotools multilib-minimal usr-ldscript verify-sig @@ -15,6 +16,7 @@ CYGWINPATCHES=( DESCRIPTION="Standard (de)compression library" HOMEPAGE="https://zlib.net/" SRC_URI="https://zlib.net/${P}.tar.gz + https://zlib.net/fossils/${P}.tar.gz https://www.gzip.org/zlib/${P}.tar.gz https://www.zlib.net/current/beta/${P}.tar.gz verify-sig? ( https://zlib.net/${P}.tar.gz.asc ) @@ -22,7 +24,7 @@ SRC_URI="https://zlib.net/${P}.tar.gz LICENSE="ZLIB" SLOT="0/1" # subslot = SONAME -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt" IUSE="minizip static-libs" RDEPEND="!sys-libs/zlib-ng[compat]" @@ -31,14 +33,24 @@ BDEPEND="minizip? ( ${AUTOTOOLS_DEPEND} ) verify-sig? ( sec-keys/openpgp-keys-madler )" PATCHES=( - # bug #658536 + # Don't install unexpected & unused crypt.h header (which would clash with other pkgs) + # Pending upstream. bug #658536 "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch - # bug #831628 + # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628 "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch + # Respect LDFLAGS during configure tests. Pending upstream + "${FILESDIR}"/${PN}-1.2.12-use-LDFLAGS-in-configure.patch + # Fix broken CC logic - "${FILESDIR}"/${PN}-1.2.12-fix-CC-logic-in-configure.patch + "${FILESDIR}"/${P}-fix-CC-logic-in-configure.patch + + # Backport for Java (and others), bug #836370 + "${FILESDIR}"/${P}-CRC-buggy-input.patch + + # bug #863851 + "${FILESDIR}"/${P}-CVE-2022-37434.patch ) src_prepare() {