Skip to content

Commit

Permalink
zlib: patch CVE-2023-45853
Browse files Browse the repository at this point in the history
Backport commit merged to develop branch from PR linked in NVD report:
* https://nvd.nist.gov/vuln/detail/CVE-2023-45853
* madler/zlib#843

Signed-off-by: Peter Marko <[email protected]>
Signed-off-by: Steve Sakoman <[email protected]>
  • Loading branch information
petermarko authored and sakoman committed Oct 20, 2023
1 parent 0547b60 commit 6e265e4
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
42 changes: 42 additions & 0 deletions meta/recipes-core/zlib/zlib/CVE-2023-45853.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
From: Hans Wennborg <[email protected]>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] Reject overflows of zip header fields in minizip.

This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.

CVE: CVE-2023-45853
Upstream-Status: Backport [https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c]

Signed-off-by: Peter Marko <[email protected]>

---
contrib/minizip/zip.c | 11 +++++++++++
1 file changed, 11 insertions(+)

diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
index 3d3d4cadd..0446109b2 100644
--- a/contrib/minizip/zip.c
+++ b/contrib/minizip/zip.c
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
return ZIP_PARAMERROR;
#endif

+ // The filename and comment length must fit in 16 bits.
+ if ((filename!=NULL) && (strlen(filename)>0xffff))
+ return ZIP_PARAMERROR;
+ if ((comment!=NULL) && (strlen(comment)>0xffff))
+ return ZIP_PARAMERROR;
+ // The extra field length must fit in 16 bits. If the member also requires
+ // a Zip64 extra block, that will also need to fit within that 16-bit
+ // length, but that will be checked for later.
+ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+ return ZIP_PARAMERROR;
+
zi = (zip64_internal*)file;

if (zi->in_opened_file_inzip == 1)
1 change: 1 addition & 0 deletions meta/recipes-core/zlib/zlib_1.2.11.bb
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libpng/${BPN}/${PV}/${BPN}-${PV}.tar.xz \
file://CVE-2018-25032.patch \
file://run-ptest \
file://CVE-2022-37434.patch \
file://CVE-2023-45853.patch \
"
UPSTREAM_CHECK_URI = "http://zlib.net/"

Expand Down

1 comment on commit 6e265e4

@Neustradamus
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.