From: Hugo SIMELIERE <[email protected]> Upstream-Status: Backport from https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77
Signed-off-by: Bruno VERNAY <[email protected]> Signed-off-by: Hugo SIMELIERE <[email protected]> --- .../zlib/zlib/CVE-2026-27171.patch | 63 +++++++++++++++++++ meta/recipes-core/zlib/zlib_1.3.1.bb | 1 + 2 files changed, 64 insertions(+) create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch new file mode 100644 index 0000000000..e6a8a3eac5 --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch @@ -0,0 +1,63 @@ +From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001 +From: Mark Adler <[email protected]> +Date: Sun, 21 Dec 2025 18:17:56 -0800 +Subject: [PATCH] Check for negative lengths in crc32_combine functions. + +Though zlib.h says that len2 must be non-negative, this avoids the +possibility of an accidental infinite loop. + +Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77] +CVE: CVE-2026-27171 + +Signed-off-by: Hugo SIMELIERE <[email protected]> +--- + crc32.c | 4 ++++ + zlib.h | 4 ++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/crc32.c b/crc32.c +index 6c38f5c..33d8c79 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf, + + /* ========================================================================= */ + uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) { ++ if (len2 < 0) ++ return 0; + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) { + + /* ========================================================================= */ + uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) { ++ if (len2 < 0) ++ return 0; + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +diff --git a/zlib.h b/zlib.h +index 8d4b932..8c7f8ac 100644 +--- a/zlib.h ++++ b/zlib.h +@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2); + seq1 and seq2 with lengths len1 and len2, CRC-32 check values were + calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32 + check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and +- len2. len2 must be non-negative. ++ len2. len2 must be non-negative, otherwise zero is returned. + */ + + /* + ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2); + + Return the operator corresponding to length len2, to be used with +- crc32_combine_op(). len2 must be non-negative. ++ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned. + */ + + ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op); +-- +2.43.0 + diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb index ef83142121..892467a1fb 100644 --- a/meta/recipes-core/zlib/zlib_1.3.1.bb +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6 SRC_URI = "https://zlib.net/${BP}.tar.gz \ file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \ file://run-ptest \ + file://CVE-2026-27171.patch \ " UPSTREAM_CHECK_URI = "http://zlib.net/"; -- 2.43.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231515): https://lists.openembedded.org/g/openembedded-core/message/231515 Mute This Topic: https://lists.openembedded.org/mt/117910144/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
