OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 20-Sep-2006 13:23:47
Branch: OPENPKG_2_5_SOLID Handle: 2006092012234700
Modified files: (Branch: OPENPKG_2_5_SOLID)
openpkg-src/gzip gzip.patch gzip.spec
Log:
MFC: Security Fixes (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336,
CVE-2006-4337, CVE-2006-4338)
Summary:
Revision Changes Path
1.4.2.1 +203 -0 openpkg-src/gzip/gzip.patch
1.37.2.2 +1 -1 openpkg-src/gzip/gzip.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/gzip/gzip.patch
============================================================================
$ cvs diff -u -r1.4 -r1.4.2.1 gzip.patch
--- openpkg-src/gzip/gzip.patch 24 Jul 2005 17:20:26 -0000 1.4
+++ openpkg-src/gzip/gzip.patch 20 Sep 2006 11:23:47 -0000 1.4.2.1
@@ -11,6 +11,11 @@
if test -z "`(${CPMOD-cpmod} $tmp.1 $tmp.2) 2>&1`"; then
cpmod=${CPMOD-cpmod}
warn=""
+
+-----------------------------------------------------------------------------
+
+Security Fix
+
Index: gzip.c
--- gzip.c.orig 2005-06-11 10:02:57 +0200
+++ gzip.c 2005-06-11 10:03:02 +0200
@@ -23,6 +28,11 @@
#ifndef MAXSEG_64K
DECLARE(ush, tab_prefix, 1L<<BITS);
#else
+
+-----------------------------------------------------------------------------
+
+Security Fix
+
Index: gzip.c
--- gzip.c.orig 2002-09-28 09:38:43.000000000 +0200
+++ gzip.c 2005-07-24 18:20:41.621179000 +0200
@@ -43,3 +53,196 @@
/* If necessary, adapt the name to local OS conventions: */
if (!list) {
MAKE_LEGAL_NAME(base);
+
+-----------------------------------------------------------------------------
+
+Security Fixes
+- NULL dereference (CVE-2006-4334)
+- OOB write (CVE-2006-4335)
+- Buffer underflow (CVE-2006-4336)
+- Buffer overflow (CVE-2006-4337)
+- Infinite loop (CVE-2006-4338)
+
+Index: gzip.h
+--- gzip.h.orig 2001-10-01 08:53:41 +0200
++++ gzip.h 2006-09-20 12:53:27 +0200
+@@ -198,6 +198,8 @@
+ extern int to_stdout; /* output to stdout (-c) */
+ extern int save_orig_name; /* set if original name must be saved */
+
++#define MIN(a,b) ((a) <= (b) ? (a) : (b))
++
+ #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
+ #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
+
+Index: inflate.c
+--- inflate.c.orig 2002-09-25 23:20:13 +0200
++++ inflate.c 2006-09-20 12:50:53 +0200
+@@ -337,7 +337,7 @@
+ {
+ *t = (struct huft *)NULL;
+ *m = 0;
+- return 0;
++ return 2;
+ }
+
+
+Index: unlzh.c
+--- unlzh.c.orig 1999-10-06 07:00:00 +0200
++++ unlzh.c 2006-09-20 12:56:33 +0200
+@@ -149,12 +149,17 @@
+ unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
+
+ for (i = 1; i <= 16; i++) count[i] = 0;
+- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
++ for (i = 0; i < (unsigned)nchar; i++) {
++ if (bitlen[i] > 16)
++ error("Bad table\n");
++ else
++ count[bitlen[i]]++;
++ }
+
+ start[1] = 0;
+ for (i = 1; i <= 16; i++)
+ start[i + 1] = start[i] + (count[i] << (16 - i));
+- if ((start[17] & 0xffff) != 0)
++ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below
*/
+ error("Bad table\n");
+
+ jutbits = 16 - tablebits;
+@@ -169,15 +174,15 @@
+
+ i = start[tablebits + 1] >> jutbits;
+ if (i != 0) {
+- k = 1 << tablebits;
+- while (i != k) table[i++] = 0;
++ k = MIN(1 << tablebits, DIST_BUFSIZE);
++ while (i < k) table[i++] = 0;
+ }
+
+ avail = nchar;
+ mask = (unsigned) 1 << (15 - tablebits);
+ for (ch = 0; ch < (unsigned)nchar; ch++) {
+ if ((len = bitlen[ch]) == 0) continue;
+- nextcode = start[len] + weight[len];
++ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
+ if (len <= (unsigned)tablebits) {
+ for (i = start[len]; i < nextcode; i++) table[i] = ch;
+ } else {
+@@ -218,7 +223,7 @@
+ for (i = 0; i < 256; i++) pt_table[i] = c;
+ } else {
+ i = 0;
+- while (i < n) {
++ while (i < MIN(n,NPT)) {
+ c = bitbuf >> (BITBUFSIZ - 3);
+ if (c == 7) {
+ mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
+@@ -228,7 +233,7 @@
+ pt_len[i++] = c;
+ if (i == i_special) {
+ c = getbits(2);
+- while (--c >= 0) pt_len[i++] = 0;
++ while (--c >= 0 && i < NPT) pt_len[i++] = 0;
+ }
+ }
+ while (i < nn) pt_len[i++] = 0;
+@@ -248,7 +253,7 @@
+ for (i = 0; i < 4096; i++) c_table[i] = c;
+ } else {
+ i = 0;
+- while (i < n) {
++ while (i < MIN(n,NC)) {
+ c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
+ if (c >= NT) {
+ mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
+@@ -256,14 +261,14 @@
+ if (bitbuf & mask) c = right[c];
+ else c = left [c];
+ mask >>= 1;
+- } while (c >= NT);
++ } while (c >= NT && (mask || c != left[c]));
+ }
+ fillbuf((int) pt_len[c]);
+ if (c <= 2) {
+ if (c == 0) c = 1;
+ else if (c == 1) c = getbits(4) + 3;
+ else c = getbits(CBIT) + 20;
+- while (--c >= 0) c_len[i++] = 0;
++ while (--c >= 0 && i < NC) c_len[i++] = 0;
+ } else c_len[i++] = c - 2;
+ }
+ while (i < NC) c_len[i++] = 0;
+@@ -292,7 +297,7 @@
+ if (bitbuf & mask) j = right[j];
+ else j = left [j];
+ mask >>= 1;
+- } while (j >= NC);
++ } while (j >= NC && (mask || j != left[j]));
+ }
+ fillbuf((int) c_len[j]);
+ return j;
+@@ -309,7 +314,7 @@
+ if (bitbuf & mask) j = right[j];
+ else j = left [j];
+ mask >>= 1;
+- } while (j >= NP);
++ } while (j >= NP && (mask || j != left[j]));
+ }
+ fillbuf((int) pt_len[j]);
+ if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
+@@ -356,7 +361,7 @@
+ while (--j >= 0) {
+ buffer[r] = buffer[i];
+ i = (i + 1) & (DICSIZ - 1);
+- if (++r == count) return r;
++ if (++r >= count) return r;
+ }
+ for ( ; ; ) {
+ c = decode_c();
+@@ -366,14 +371,14 @@
+ }
+ if (c <= UCHAR_MAX) {
+ buffer[r] = c;
+- if (++r == count) return r;
++ if (++r >= count) return r;
+ } else {
+ j = c - (UCHAR_MAX + 1 - THRESHOLD);
+ i = (r - decode_p() - 1) & (DICSIZ - 1);
+ while (--j >= 0) {
+ buffer[r] = buffer[i];
+ i = (i + 1) & (DICSIZ - 1);
+- if (++r == count) return r;
++ if (++r >= count) return r;
+ }
+ }
+ }
+Index: unpack.c
+--- unpack.c.orig 1999-10-06 07:00:00 +0200
++++ unpack.c 2006-09-20 12:50:53 +0200
+@@ -13,7 +13,6 @@
+ #include "gzip.h"
+ #include "crypt.h"
+
+-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+ /* The arguments must not have side effects. */
+
+ #define MAX_BITLEN 25
+@@ -133,7 +132,7 @@
+ /* Remember where the literals of this length start in literal[] : */
+ lit_base[len] = base;
+ /* And read the literals: */
+- for (n = leaves[len]; n > 0; n--) {
++ for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
+ literal[base++] = (uch)get_byte();
+ }
+ }
+@@ -169,7 +168,7 @@
+ prefixp = &prefix_len[1<<peek_bits];
+ for (len = 1; len <= peek_bits; len++) {
+ int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
+- while (prefixes--) *--prefixp = (uch)len;
++ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
+ }
+ /* The length of all other codes is unknown: */
+ while (prefixp > prefix_len) *--prefixp = 0;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/gzip/gzip.spec
============================================================================
$ cvs diff -u -r1.37.2.1 -r1.37.2.2 gzip.spec
--- openpkg-src/gzip/gzip.spec 11 Oct 2005 12:50:15 -0000 1.37.2.1
+++ openpkg-src/gzip/gzip.spec 20 Sep 2006 11:23:47 -0000 1.37.2.2
@@ -33,7 +33,7 @@
Group: Compression
License: GPL
Version: 1.3.5
-Release: 2.5.0
+Release: 2.5.1
# list of sources
Source0: ftp://alpha.gnu.org/gnu/gzip/gzip-%{version}.tar.gz
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
