summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2023-10-30 10:16:13 +0000
committerSam James <sam@gentoo.org>2023-10-30 10:19:02 +0000
commitd9718dafa6ecd841f4364f2ee0039613f0b8efec (patch)
tree83188a0b9adfdfff10895a7dfc13729b3f304681 /sys-libs/zlib
parentnet-libs/davix: remove unused patch(es) (diff)
downloadgentoo-d9718dafa6ecd841f4364f2ee0039613f0b8efec.tar.gz
gentoo-d9718dafa6ecd841f4364f2ee0039613f0b8efec.tar.bz2
gentoo-d9718dafa6ecd841f4364f2ee0039613f0b8efec.zip
sys-libs/zlib: fix CVE-2023-45853
Bug: https://bugs.gentoo.org/916484 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'sys-libs/zlib')
-rw-r--r--sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch40
-rw-r--r--sys-libs/zlib/zlib-1.2.13-r2.ebuild184
-rw-r--r--sys-libs/zlib/zlib-1.3-r2.ebuild179
3 files changed, 403 insertions, 0 deletions
diff --git a/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch b/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch
new file mode 100644
index 000000000000..ecb5acecbb33
--- /dev/null
+++ b/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch
@@ -0,0 +1,40 @@
+https://bugs.gentoo.org/916484
+https://github.com/madler/zlib/pull/843
+https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
+
+From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
+From: Hans Wennborg <hans@chromium.org>
+Date: Fri, 18 Aug 2023 11:05:33 +0200
+Subject: [PATCH] Reject overflows of zip header fields in minizip.
+
+This checks the lengths of the file name, extra field, and comment
+that would be put in the zip headers, and rejects them if they are
+too long. They are each limited to 65535 bytes in length by the zip
+format. This also avoids possible buffer overflows if the provided
+fields are too long.
+---
+ contrib/minizip/zip.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
+index 3d3d4cadd..0446109b2 100644
+--- a/contrib/minizip/zip.c
++++ b/contrib/minizip/zip.c
+@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
+ return ZIP_PARAMERROR;
+ #endif
+
++ // The filename and comment length must fit in 16 bits.
++ if ((filename!=NULL) && (strlen(filename)>0xffff))
++ return ZIP_PARAMERROR;
++ if ((comment!=NULL) && (strlen(comment)>0xffff))
++ return ZIP_PARAMERROR;
++ // The extra field length must fit in 16 bits. If the member also requires
++ // a Zip64 extra block, that will also need to fit within that 16-bit
++ // length, but that will be checked for later.
++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
++ return ZIP_PARAMERROR;
++
+ zi = (zip64_internal*)file;
+
+ if (zi->in_opened_file_inzip == 1)
diff --git a/sys-libs/zlib/zlib-1.2.13-r2.ebuild b/sys-libs/zlib/zlib-1.2.13-r2.ebuild
new file mode 100644
index 000000000000..fbf50ae139d8
--- /dev/null
+++ b/sys-libs/zlib/zlib-1.2.13-r2.ebuild
@@ -0,0 +1,184 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Worth keeping an eye on 'develop' branch upstream for possible backports.
+AUTOTOOLS_AUTO_DEPEND="no"
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc
+inherit autotools multilib-minimal flag-o-matic toolchain-funcs usr-ldscript verify-sig
+
+DESCRIPTION="Standard (de)compression library"
+HOMEPAGE="https://zlib.net/"
+SRC_URI="https://zlib.net/${P}.tar.xz
+ https://zlib.net/fossils/${P}.tar.xz
+ https://zlib.net/current/beta/${P}.tar.xz
+ verify-sig? ( https://zlib.net/${P}.tar.xz.asc )"
+
+LICENSE="ZLIB"
+SLOT="0/1" # subslot = SONAME
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="minizip static-libs"
+
+RDEPEND="!sys-libs/zlib-ng[compat]"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ minizip? ( ${AUTOTOOLS_DEPEND} )
+ verify-sig? ( sec-keys/openpgp-keys-madler )
+"
+
+PATCHES=(
+ # Don't install unexpected & unused crypt.h header (which would clash with other pkgs)
+ # Pending upstream. bug #658536
+ "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch
+
+ # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628
+ "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch
+
+ # Respect LDFLAGS during configure tests. Pending upstream
+ "${FILESDIR}"/${PN}-1.2.13-use-LDFLAGS-in-configure.patch
+
+ # Fix building on sparc with older binutils, we pass it in ebuild instead
+ "${FILESDIR}"/${PN}-1.2.13-Revert-Turn-off-RWX-segment-warnings-on-sparc-system.patch
+
+ # CVE-2023-45853 (bug #916484)
+ "${FILESDIR}"/${PN}-1.2.13-CVE-2023-45853.patch
+)
+
+src_prepare() {
+ default
+
+ if use minizip ; then
+ cd contrib/minizip || die
+ eautoreconf
+ fi
+
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ # Uses preconfigured Makefile rather than configure script
+ multilib_copy_sources
+
+ ;;
+ esac
+}
+
+echoit() { echo "$@"; "$@"; }
+
+multilib_src_configure() {
+ # We pass manually instead of relying on the configure script/makefile
+ # because it would pass it even for older binutils.
+ use sparc && append-flags $(test-flags-CCLD -Wl,--no-warn-rwx-segments)
+
+ # ideally we want !tc-ld-is-bfd for best future-proofing, but it needs
+ # https://github.com/gentoo/gentoo/pull/28355
+ # mold needs this too but right now tc-ld-is-mold is also not available
+ if tc-ld-is-lld; then
+ append-ldflags -Wl,--undefined-version
+ fi
+
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ ;;
+
+ *)
+ # bug #347167
+ local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3)
+
+ local myconf=(
+ --shared
+ --prefix="${EPREFIX}/usr"
+ --libdir="${EPREFIX}/usr/$(get_libdir)"
+ ${uname:+--uname=${uname}}
+ )
+
+ # Not an autoconf script, so can't use econf
+ echoit "${S}"/configure "${myconf[@]}" || die
+
+ ;;
+ esac
+
+ if use minizip ; then
+ local minizipdir="contrib/minizip"
+ mkdir -p "${BUILD_DIR}/${minizipdir}" || die
+
+ cd ${minizipdir} || die
+ ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static)
+ fi
+}
+
+multilib_src_compile() {
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}-
+ sed \
+ -e 's|@prefix@|'"${EPREFIX}"'/usr|g' \
+ -e 's|@exec_prefix@|${prefix}|g' \
+ -e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \
+ -e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \
+ -e 's|@includedir@|${prefix}/include|g' \
+ -e 's|@VERSION@|'${PV}'|g' \
+ zlib.pc.in > zlib.pc || die
+ ;;
+
+ *)
+ emake
+
+ ;;
+ esac
+
+ use minizip && emake -C contrib/minizip
+}
+
+sed_macros() {
+ # Clean up namespace a little, bug #383179
+ # We do it here so we only have to tweak 2 files
+ sed -i -r 's:\<(O[FN])\>:_Z_\1:g' "$@" || die
+}
+
+multilib_src_install() {
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ emake -f win32/Makefile.gcc install \
+ BINARY_PATH="${ED}/usr/bin" \
+ LIBRARY_PATH="${ED}/usr/$(get_libdir)" \
+ INCLUDE_PATH="${ED}/usr/include" \
+ SHARED_MODE=1
+
+ # Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136
+ insinto /usr/$(get_libdir)/pkgconfig
+ doins zlib.pc
+
+ ;;
+
+ *)
+ emake install DESTDIR="${D}" LDCONFIG=:
+ gen_usr_ldscript -a z
+
+ ;;
+ esac
+
+ sed_macros "${ED}"/usr/include/*.h
+
+ if use minizip ; then
+ emake -C contrib/minizip install DESTDIR="${D}"
+ sed_macros "${ED}"/usr/include/minizip/*.h
+
+ # This might not exist if slibtool is used.
+ # bug #816756
+ rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die
+ fi
+
+ if ! use static-libs ; then
+ # bug #419645
+ rm "${ED}"/usr/$(get_libdir)/libz.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ dodoc FAQ README ChangeLog doc/*.txt
+
+ if use minizip ; then
+ dodoc contrib/minizip/*.txt
+ doman contrib/minizip/*.1
+ fi
+}
diff --git a/sys-libs/zlib/zlib-1.3-r2.ebuild b/sys-libs/zlib/zlib-1.3-r2.ebuild
new file mode 100644
index 000000000000..89522d3657a8
--- /dev/null
+++ b/sys-libs/zlib/zlib-1.3-r2.ebuild
@@ -0,0 +1,179 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Worth keeping an eye on 'develop' branch upstream for possible backports.
+AUTOTOOLS_AUTO_DEPEND="no"
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc
+inherit autotools edo multilib-minimal flag-o-matic toolchain-funcs usr-ldscript verify-sig
+
+DESCRIPTION="Standard (de)compression library"
+HOMEPAGE="https://zlib.net/"
+SRC_URI="
+ https://zlib.net/${P}.tar.xz
+ https://zlib.net/fossils/${P}.tar.xz
+ https://zlib.net/current/beta/${P}.tar.xz
+ https://github.com/madler/zlib/releases/download/v${PV}/${P}.tar.xz
+ verify-sig? (
+ https://zlib.net/${P}.tar.xz.asc
+ https://github.com/madler/zlib/releases/download/v${PV}/${P}.tar.xz.asc
+ )
+"
+
+LICENSE="ZLIB"
+SLOT="0/1" # subslot = SONAME
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="minizip static-libs"
+
+RDEPEND="!sys-libs/zlib-ng[compat]"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ minizip? ( ${AUTOTOOLS_DEPEND} )
+ verify-sig? ( sec-keys/openpgp-keys-madler )
+"
+
+PATCHES=(
+ # Don't install unexpected & unused crypt.h header (which would clash with other pkgs)
+ # Pending upstream. bug #658536
+ "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch
+
+ # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628
+ "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch
+
+ # Respect LDFLAGS during configure tests. Pending upstream
+ "${FILESDIR}"/${PN}-1.2.13-use-LDFLAGS-in-configure.patch
+
+ # Fix building on sparc with older binutils, we pass it in ebuild instead
+ "${FILESDIR}"/${PN}-1.2.13-Revert-Turn-off-RWX-segment-warnings-on-sparc-system.patch
+
+ # CVE-2023-45853 (bug #916484)
+ "${FILESDIR}"/${PN}-1.2.13-CVE-2023-45853.patch
+)
+
+src_prepare() {
+ default
+
+ if use minizip ; then
+ cd contrib/minizip || die
+ eautoreconf
+ fi
+
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ # Uses preconfigured Makefile rather than configure script
+ multilib_copy_sources
+
+ ;;
+ esac
+}
+
+multilib_src_configure() {
+ # We pass manually instead of relying on the configure script/makefile
+ # because it would pass it even for older binutils.
+ use sparc && append-flags $(test-flags-CCLD -Wl,--no-warn-rwx-segments)
+
+ # ideally we want !tc-ld-is-bfd for best future-proofing, but it needs
+ # https://github.com/gentoo/gentoo/pull/28355
+ # mold needs this too but right now tc-ld-is-mold is also not available
+ if tc-ld-is-lld; then
+ append-ldflags -Wl,--undefined-version
+ fi
+
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ ;;
+
+ *)
+ # bug #347167
+ local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3)
+
+ local myconf=(
+ --shared
+ --prefix="${EPREFIX}/usr"
+ --libdir="${EPREFIX}/usr/$(get_libdir)"
+ ${uname:+--uname=${uname}}
+ )
+
+ # Not an autoconf script, so can't use econf
+ edo "${S}"/configure "${myconf[@]}"
+
+ ;;
+ esac
+
+ if use minizip ; then
+ local minizipdir="contrib/minizip"
+ mkdir -p "${BUILD_DIR}/${minizipdir}" || die
+
+ cd ${minizipdir} || die
+ ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static)
+ fi
+}
+
+multilib_src_compile() {
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}-
+ sed \
+ -e 's|@prefix@|'"${EPREFIX}"'/usr|g' \
+ -e 's|@exec_prefix@|${prefix}|g' \
+ -e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \
+ -e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \
+ -e 's|@includedir@|${prefix}/include|g' \
+ -e 's|@VERSION@|'${PV}'|g' \
+ zlib.pc.in > zlib.pc || die
+ ;;
+
+ *)
+ emake
+
+ ;;
+ esac
+
+ use minizip && emake -C contrib/minizip
+}
+
+multilib_src_install() {
+ case ${CHOST} in
+ *-mingw*|mingw*)
+ emake -f win32/Makefile.gcc install \
+ BINARY_PATH="${ED}/usr/bin" \
+ LIBRARY_PATH="${ED}/usr/$(get_libdir)" \
+ INCLUDE_PATH="${ED}/usr/include" \
+ SHARED_MODE=1
+
+ # Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136
+ insinto /usr/$(get_libdir)/pkgconfig
+ doins zlib.pc
+
+ ;;
+
+ *)
+ emake install DESTDIR="${D}" LDCONFIG=:
+ gen_usr_ldscript -a z
+
+ ;;
+ esac
+
+ if use minizip ; then
+ emake -C contrib/minizip install DESTDIR="${D}"
+
+ # This might not exist if slibtool is used.
+ # bug #816756
+ rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die
+ fi
+
+ if ! use static-libs ; then
+ # bug #419645
+ rm "${ED}"/usr/$(get_libdir)/libz.a || die
+ fi
+}
+
+multilib_src_install_all() {
+ dodoc FAQ README ChangeLog doc/*.txt
+
+ if use minizip ; then
+ dodoc contrib/minizip/*.txt
+ doman contrib/minizip/*.1
+ fi
+}