OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-src Date: 20-Sep-2006 13:23:47 Branch: OPENPKG_2_5_SOLID Handle: 2006092012234700 Modified files: (Branch: OPENPKG_2_5_SOLID) openpkg-src/gzip gzip.patch gzip.spec Log: MFC: Security Fixes (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338) Summary: Revision Changes Path 1.4.2.1 +203 -0 openpkg-src/gzip/gzip.patch 1.37.2.2 +1 -1 openpkg-src/gzip/gzip.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/gzip/gzip.patch ============================================================================ $ cvs diff -u -r1.4 -r1.4.2.1 gzip.patch --- openpkg-src/gzip/gzip.patch 24 Jul 2005 17:20:26 -0000 1.4 +++ openpkg-src/gzip/gzip.patch 20 Sep 2006 11:23:47 -0000 1.4.2.1 @@ -11,6 +11,11 @@ if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then cpmod=${CPMOD-cpmod} warn="" + +----------------------------------------------------------------------------- + +Security Fix + Index: gzip.c --- gzip.c.orig 2005-06-11 10:02:57 +0200 +++ gzip.c 2005-06-11 10:03:02 +0200 @@ -23,6 +28,11 @@ #ifndef MAXSEG_64K DECLARE(ush, tab_prefix, 1L<<BITS); #else + +----------------------------------------------------------------------------- + +Security Fix + Index: gzip.c --- gzip.c.orig 2002-09-28 09:38:43.000000000 +0200 +++ gzip.c 2005-07-24 18:20:41.621179000 +0200 @@ -43,3 +53,196 @@ /* If necessary, adapt the name to local OS conventions: */ if (!list) { MAKE_LEGAL_NAME(base); + +----------------------------------------------------------------------------- + +Security Fixes +- NULL dereference (CVE-2006-4334) +- OOB write (CVE-2006-4335) +- Buffer underflow (CVE-2006-4336) +- Buffer overflow (CVE-2006-4337) +- Infinite loop (CVE-2006-4338) + +Index: gzip.h +--- gzip.h.orig 2001-10-01 08:53:41 +0200 ++++ gzip.h 2006-09-20 12:53:27 +0200 +@@ -198,6 +198,8 @@ + extern int to_stdout; /* output to stdout (-c) */ + extern int save_orig_name; /* set if original name must be saved */ + ++#define MIN(a,b) ((a) <= (b) ? (a) : (b)) ++ + #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0)) + #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1)) + +Index: inflate.c +--- inflate.c.orig 2002-09-25 23:20:13 +0200 ++++ inflate.c 2006-09-20 12:50:53 +0200 +@@ -337,7 +337,7 @@ + { + *t = (struct huft *)NULL; + *m = 0; +- return 0; ++ return 2; + } + + +Index: unlzh.c +--- unlzh.c.orig 1999-10-06 07:00:00 +0200 ++++ unlzh.c 2006-09-20 12:56:33 +0200 +@@ -149,12 +149,17 @@ + unsigned i, k, len, ch, jutbits, avail, nextcode, mask; + + for (i = 1; i <= 16; i++) count[i] = 0; +- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; ++ for (i = 0; i < (unsigned)nchar; i++) { ++ if (bitlen[i] > 16) ++ error("Bad table\n"); ++ else ++ count[bitlen[i]]++; ++ } + + start[1] = 0; + for (i = 1; i <= 16; i++) + start[i + 1] = start[i] + (count[i] << (16 - i)); +- if ((start[17] & 0xffff) != 0) ++ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ + error("Bad table\n"); + + jutbits = 16 - tablebits; +@@ -169,15 +174,15 @@ + + i = start[tablebits + 1] >> jutbits; + if (i != 0) { +- k = 1 << tablebits; +- while (i != k) table[i++] = 0; ++ k = MIN(1 << tablebits, DIST_BUFSIZE); ++ while (i < k) table[i++] = 0; + } + + avail = nchar; + mask = (unsigned) 1 << (15 - tablebits); + for (ch = 0; ch < (unsigned)nchar; ch++) { + if ((len = bitlen[ch]) == 0) continue; +- nextcode = start[len] + weight[len]; ++ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); + if (len <= (unsigned)tablebits) { + for (i = start[len]; i < nextcode; i++) table[i] = ch; + } else { +@@ -218,7 +223,7 @@ + for (i = 0; i < 256; i++) pt_table[i] = c; + } else { + i = 0; +- while (i < n) { ++ while (i < MIN(n,NPT)) { + c = bitbuf >> (BITBUFSIZ - 3); + if (c == 7) { + mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); +@@ -228,7 +233,7 @@ + pt_len[i++] = c; + if (i == i_special) { + c = getbits(2); +- while (--c >= 0) pt_len[i++] = 0; ++ while (--c >= 0 && i < NPT) pt_len[i++] = 0; + } + } + while (i < nn) pt_len[i++] = 0; +@@ -248,7 +253,7 @@ + for (i = 0; i < 4096; i++) c_table[i] = c; + } else { + i = 0; +- while (i < n) { ++ while (i < MIN(n,NC)) { + c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; + if (c >= NT) { + mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); +@@ -256,14 +261,14 @@ + if (bitbuf & mask) c = right[c]; + else c = left [c]; + mask >>= 1; +- } while (c >= NT); ++ } while (c >= NT && (mask || c != left[c])); + } + fillbuf((int) pt_len[c]); + if (c <= 2) { + if (c == 0) c = 1; + else if (c == 1) c = getbits(4) + 3; + else c = getbits(CBIT) + 20; +- while (--c >= 0) c_len[i++] = 0; ++ while (--c >= 0 && i < NC) c_len[i++] = 0; + } else c_len[i++] = c - 2; + } + while (i < NC) c_len[i++] = 0; +@@ -292,7 +297,7 @@ + if (bitbuf & mask) j = right[j]; + else j = left [j]; + mask >>= 1; +- } while (j >= NC); ++ } while (j >= NC && (mask || j != left[j])); + } + fillbuf((int) c_len[j]); + return j; +@@ -309,7 +314,7 @@ + if (bitbuf & mask) j = right[j]; + else j = left [j]; + mask >>= 1; +- } while (j >= NP); ++ } while (j >= NP && (mask || j != left[j])); + } + fillbuf((int) pt_len[j]); + if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); +@@ -356,7 +361,7 @@ + while (--j >= 0) { + buffer[r] = buffer[i]; + i = (i + 1) & (DICSIZ - 1); +- if (++r == count) return r; ++ if (++r >= count) return r; + } + for ( ; ; ) { + c = decode_c(); +@@ -366,14 +371,14 @@ + } + if (c <= UCHAR_MAX) { + buffer[r] = c; +- if (++r == count) return r; ++ if (++r >= count) return r; + } else { + j = c - (UCHAR_MAX + 1 - THRESHOLD); + i = (r - decode_p() - 1) & (DICSIZ - 1); + while (--j >= 0) { + buffer[r] = buffer[i]; + i = (i + 1) & (DICSIZ - 1); +- if (++r == count) return r; ++ if (++r >= count) return r; + } + } + } +Index: unpack.c +--- unpack.c.orig 1999-10-06 07:00:00 +0200 ++++ unpack.c 2006-09-20 12:50:53 +0200 +@@ -13,7 +13,6 @@ + #include "gzip.h" + #include "crypt.h" + +-#define MIN(a,b) ((a) <= (b) ? (a) : (b)) + /* The arguments must not have side effects. */ + + #define MAX_BITLEN 25 +@@ -133,7 +132,7 @@ + /* Remember where the literals of this length start in literal[] : */ + lit_base[len] = base; + /* And read the literals: */ +- for (n = leaves[len]; n > 0; n--) { ++ for (n = leaves[len]; n > 0 && base < LITERALS; n--) { + literal[base++] = (uch)get_byte(); + } + } +@@ -169,7 +168,7 @@ + prefixp = &prefix_len[1<<peek_bits]; + for (len = 1; len <= peek_bits; len++) { + int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */ +- while (prefixes--) *--prefixp = (uch)len; ++ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len; + } + /* The length of all other codes is unknown: */ + while (prefixp > prefix_len) *--prefixp = 0; @@ . patch -p0 <<'@@ .' Index: openpkg-src/gzip/gzip.spec ============================================================================ $ cvs diff -u -r1.37.2.1 -r1.37.2.2 gzip.spec --- openpkg-src/gzip/gzip.spec 11 Oct 2005 12:50:15 -0000 1.37.2.1 +++ openpkg-src/gzip/gzip.spec 20 Sep 2006 11:23:47 -0000 1.37.2.2 @@ -33,7 +33,7 @@ Group: Compression License: GPL Version: 1.3.5 -Release: 2.5.0 +Release: 2.5.1 # list of sources Source0: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org