commit: d9718dafa6ecd841f4364f2ee0039613f0b8efec Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Oct 30 10:16:13 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Oct 30 10:19:02 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9718daf
sys-libs/zlib: fix CVE-2023-45853 Bug: https://bugs.gentoo.org/916484 Signed-off-by: Sam James <sam <AT> gentoo.org> .../zlib/files/zlib-1.2.13-CVE-2023-45853.patch | 40 +++++ sys-libs/zlib/zlib-1.2.13-r2.ebuild | 184 +++++++++++++++++++++ sys-libs/zlib/zlib-1.3-r2.ebuild | 179 ++++++++++++++++++++ 3 files changed, 403 insertions(+) diff --git a/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch b/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch new file mode 100644 index 000000000000..ecb5acecbb33 --- /dev/null +++ b/sys-libs/zlib/files/zlib-1.2.13-CVE-2023-45853.patch @@ -0,0 +1,40 @@ +https://bugs.gentoo.org/916484 +https://github.com/madler/zlib/pull/843 +https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c + +From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 +From: Hans Wennborg <h...@chromium.org> +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. +--- + contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/contrib/minizip/zip.c ++++ b/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/sys-libs/zlib/zlib-1.2.13-r2.ebuild b/sys-libs/zlib/zlib-1.2.13-r2.ebuild new file mode 100644 index 000000000000..fbf50ae139d8 --- /dev/null +++ b/sys-libs/zlib/zlib-1.2.13-r2.ebuild @@ -0,0 +1,184 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Worth keeping an eye on 'develop' branch upstream for possible backports. +AUTOTOOLS_AUTO_DEPEND="no" +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc +inherit autotools multilib-minimal flag-o-matic toolchain-funcs usr-ldscript verify-sig + +DESCRIPTION="Standard (de)compression library" +HOMEPAGE="https://zlib.net/"; +SRC_URI="https://zlib.net/${P}.tar.xz + https://zlib.net/fossils/${P}.tar.xz + https://zlib.net/current/beta/${P}.tar.xz + verify-sig? ( https://zlib.net/${P}.tar.xz.asc )" + +LICENSE="ZLIB" +SLOT="0/1" # subslot = SONAME +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="minizip static-libs" + +RDEPEND="!sys-libs/zlib-ng[compat]" +DEPEND="${RDEPEND}" +BDEPEND=" + minizip? ( ${AUTOTOOLS_DEPEND} ) + verify-sig? ( sec-keys/openpgp-keys-madler ) +" + +PATCHES=( + # Don't install unexpected & unused crypt.h header (which would clash with other pkgs) + # Pending upstream. bug #658536 + "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch + + # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628 + "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch + + # Respect LDFLAGS during configure tests. Pending upstream + "${FILESDIR}"/${PN}-1.2.13-use-LDFLAGS-in-configure.patch + + # Fix building on sparc with older binutils, we pass it in ebuild instead + "${FILESDIR}"/${PN}-1.2.13-Revert-Turn-off-RWX-segment-warnings-on-sparc-system.patch + + # CVE-2023-45853 (bug #916484) + "${FILESDIR}"/${PN}-1.2.13-CVE-2023-45853.patch +) + +src_prepare() { + default + + if use minizip ; then + cd contrib/minizip || die + eautoreconf + fi + + case ${CHOST} in + *-mingw*|mingw*) + # Uses preconfigured Makefile rather than configure script + multilib_copy_sources + + ;; + esac +} + +echoit() { echo "$@"; "$@"; } + +multilib_src_configure() { + # We pass manually instead of relying on the configure script/makefile + # because it would pass it even for older binutils. + use sparc && append-flags $(test-flags-CCLD -Wl,--no-warn-rwx-segments) + + # ideally we want !tc-ld-is-bfd for best future-proofing, but it needs + # https://github.com/gentoo/gentoo/pull/28355 + # mold needs this too but right now tc-ld-is-mold is also not available + if tc-ld-is-lld; then + append-ldflags -Wl,--undefined-version + fi + + case ${CHOST} in + *-mingw*|mingw*) + ;; + + *) + # bug #347167 + local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3) + + local myconf=( + --shared + --prefix="${EPREFIX}/usr" + --libdir="${EPREFIX}/usr/$(get_libdir)" + ${uname:+--uname=${uname}} + ) + + # Not an autoconf script, so can't use econf + echoit "${S}"/configure "${myconf[@]}" || die + + ;; + esac + + if use minizip ; then + local minizipdir="contrib/minizip" + mkdir -p "${BUILD_DIR}/${minizipdir}" || die + + cd ${minizipdir} || die + ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static) + fi +} + +multilib_src_compile() { + case ${CHOST} in + *-mingw*|mingw*) + emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}- + sed \ + -e 's|@prefix@|'"${EPREFIX}"'/usr|g' \ + -e 's|@exec_prefix@|${prefix}|g' \ + -e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \ + -e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \ + -e 's|@includedir@|${prefix}/include|g' \ + -e 's|@VERSION@|'${PV}'|g' \ + zlib.pc.in > zlib.pc || die + ;; + + *) + emake + + ;; + esac + + use minizip && emake -C contrib/minizip +} + +sed_macros() { + # Clean up namespace a little, bug #383179 + # We do it here so we only have to tweak 2 files + sed -i -r 's:\<(O[FN])\>:_Z_\1:g' "$@" || die +} + +multilib_src_install() { + case ${CHOST} in + *-mingw*|mingw*) + emake -f win32/Makefile.gcc install \ + BINARY_PATH="${ED}/usr/bin" \ + LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + INCLUDE_PATH="${ED}/usr/include" \ + SHARED_MODE=1 + + # Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136 + insinto /usr/$(get_libdir)/pkgconfig + doins zlib.pc + + ;; + + *) + emake install DESTDIR="${D}" LDCONFIG=: + gen_usr_ldscript -a z + + ;; + esac + + sed_macros "${ED}"/usr/include/*.h + + if use minizip ; then + emake -C contrib/minizip install DESTDIR="${D}" + sed_macros "${ED}"/usr/include/minizip/*.h + + # This might not exist if slibtool is used. + # bug #816756 + rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die + fi + + if ! use static-libs ; then + # bug #419645 + rm "${ED}"/usr/$(get_libdir)/libz.a || die + fi +} + +multilib_src_install_all() { + dodoc FAQ README ChangeLog doc/*.txt + + if use minizip ; then + dodoc contrib/minizip/*.txt + doman contrib/minizip/*.1 + fi +} diff --git a/sys-libs/zlib/zlib-1.3-r2.ebuild b/sys-libs/zlib/zlib-1.3-r2.ebuild new file mode 100644 index 000000000000..89522d3657a8 --- /dev/null +++ b/sys-libs/zlib/zlib-1.3-r2.ebuild @@ -0,0 +1,179 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Worth keeping an eye on 'develop' branch upstream for possible backports. +AUTOTOOLS_AUTO_DEPEND="no" +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc +inherit autotools edo multilib-minimal flag-o-matic toolchain-funcs usr-ldscript verify-sig + +DESCRIPTION="Standard (de)compression library" +HOMEPAGE="https://zlib.net/"; +SRC_URI=" + https://zlib.net/${P}.tar.xz + https://zlib.net/fossils/${P}.tar.xz + https://zlib.net/current/beta/${P}.tar.xz + https://github.com/madler/zlib/releases/download/v${PV}/${P}.tar.xz + verify-sig? ( + https://zlib.net/${P}.tar.xz.asc + https://github.com/madler/zlib/releases/download/v${PV}/${P}.tar.xz.asc + ) +" + +LICENSE="ZLIB" +SLOT="0/1" # subslot = SONAME +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +IUSE="minizip static-libs" + +RDEPEND="!sys-libs/zlib-ng[compat]" +DEPEND="${RDEPEND}" +BDEPEND=" + minizip? ( ${AUTOTOOLS_DEPEND} ) + verify-sig? ( sec-keys/openpgp-keys-madler ) +" + +PATCHES=( + # Don't install unexpected & unused crypt.h header (which would clash with other pkgs) + # Pending upstream. bug #658536 + "${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch + + # Respect AR, RANLIB, NM during build. Pending upstream. bug #831628 + "${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch + + # Respect LDFLAGS during configure tests. Pending upstream + "${FILESDIR}"/${PN}-1.2.13-use-LDFLAGS-in-configure.patch + + # Fix building on sparc with older binutils, we pass it in ebuild instead + "${FILESDIR}"/${PN}-1.2.13-Revert-Turn-off-RWX-segment-warnings-on-sparc-system.patch + + # CVE-2023-45853 (bug #916484) + "${FILESDIR}"/${PN}-1.2.13-CVE-2023-45853.patch +) + +src_prepare() { + default + + if use minizip ; then + cd contrib/minizip || die + eautoreconf + fi + + case ${CHOST} in + *-mingw*|mingw*) + # Uses preconfigured Makefile rather than configure script + multilib_copy_sources + + ;; + esac +} + +multilib_src_configure() { + # We pass manually instead of relying on the configure script/makefile + # because it would pass it even for older binutils. + use sparc && append-flags $(test-flags-CCLD -Wl,--no-warn-rwx-segments) + + # ideally we want !tc-ld-is-bfd for best future-proofing, but it needs + # https://github.com/gentoo/gentoo/pull/28355 + # mold needs this too but right now tc-ld-is-mold is also not available + if tc-ld-is-lld; then + append-ldflags -Wl,--undefined-version + fi + + case ${CHOST} in + *-mingw*|mingw*) + ;; + + *) + # bug #347167 + local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3) + + local myconf=( + --shared + --prefix="${EPREFIX}/usr" + --libdir="${EPREFIX}/usr/$(get_libdir)" + ${uname:+--uname=${uname}} + ) + + # Not an autoconf script, so can't use econf + edo "${S}"/configure "${myconf[@]}" + + ;; + esac + + if use minizip ; then + local minizipdir="contrib/minizip" + mkdir -p "${BUILD_DIR}/${minizipdir}" || die + + cd ${minizipdir} || die + ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static) + fi +} + +multilib_src_compile() { + case ${CHOST} in + *-mingw*|mingw*) + emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}- + sed \ + -e 's|@prefix@|'"${EPREFIX}"'/usr|g' \ + -e 's|@exec_prefix@|${prefix}|g' \ + -e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \ + -e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \ + -e 's|@includedir@|${prefix}/include|g' \ + -e 's|@VERSION@|'${PV}'|g' \ + zlib.pc.in > zlib.pc || die + ;; + + *) + emake + + ;; + esac + + use minizip && emake -C contrib/minizip +} + +multilib_src_install() { + case ${CHOST} in + *-mingw*|mingw*) + emake -f win32/Makefile.gcc install \ + BINARY_PATH="${ED}/usr/bin" \ + LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ + INCLUDE_PATH="${ED}/usr/include" \ + SHARED_MODE=1 + + # Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136 + insinto /usr/$(get_libdir)/pkgconfig + doins zlib.pc + + ;; + + *) + emake install DESTDIR="${D}" LDCONFIG=: + gen_usr_ldscript -a z + + ;; + esac + + if use minizip ; then + emake -C contrib/minizip install DESTDIR="${D}" + + # This might not exist if slibtool is used. + # bug #816756 + rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die + fi + + if ! use static-libs ; then + # bug #419645 + rm "${ED}"/usr/$(get_libdir)/libz.a || die + fi +} + +multilib_src_install_all() { + dodoc FAQ README ChangeLog doc/*.txt + + if use minizip ; then + dodoc contrib/minizip/*.txt + doman contrib/minizip/*.1 + fi +}
