Control; tags -1 + patch
Hi Mark,
On Fri, Mar 25, 2022 at 05:31:44PM +0100, Moritz Muehlenhoff wrote:
> Source: zlib
> Version: 1:1.2.11.dfsg-2
> Severity: grave
> Tags: security
> X-Debbugs-Cc: Debian Security Team
>
> This was assigned CVE-2018-25032:
> https://www.openwall.com/lists/oss-security/2022/03/24/1
> https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
Here is a preliminary debdiff to address this.
Regards,
Salvatore
diff -Nru zlib-1.2.11.dfsg/debian/changelog zlib-1.2.11.dfsg/debian/changelog
--- zlib-1.2.11.dfsg/debian/changelog 2022-03-18 01:21:37.0 +0100
+++ zlib-1.2.11.dfsg/debian/changelog 2022-03-25 22:46:38.0 +0100
@@ -1,3 +1,11 @@
+zlib (1:1.2.11.dfsg-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix a bug that can crash deflate on some input when using Z_FIXED
+(CVE-2018-25032) (Closes: #1008265)
+
+ -- Salvatore Bonaccorso Fri, 25 Mar 2022 22:46:38 +0100
+
zlib (1:1.2.11.dfsg-3) unstable; urgency=low
* Add build-arch and build-indep (#999292).
diff -Nru
zlib-1.2.11.dfsg/debian/patches/Fix-a-bug-that-can-crash-deflate-on-some-input-when-.patch
zlib-1.2.11.dfsg/debian/patches/Fix-a-bug-that-can-crash-deflate-on-some-input-when-.patch
---
zlib-1.2.11.dfsg/debian/patches/Fix-a-bug-that-can-crash-deflate-on-some-input-when-.patch
1970-01-01 01:00:00.0 +0100
+++
zlib-1.2.11.dfsg/debian/patches/Fix-a-bug-that-can-crash-deflate-on-some-input-when-.patch
2022-03-25 22:46:38.0 +0100
@@ -0,0 +1,347 @@
+From: Mark Adler
+Date: Tue, 17 Apr 2018 22:09:22 -0700
+Subject: Fix a bug that can crash deflate on some input when using Z_FIXED.
+Origin:
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
+Bug-Debian: https://bugs.debian.org/1008265
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-25032
+
+This bug was reported by Danilo Ramos of Eideticom, Inc. It has
+lain in wait 13 years before being found! The bug was introduced
+in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
+option forces the use of fixed Huffman codes. For rare inputs with
+a large number of distant matches, the pending buffer into which
+the compressed data is written can overwrite the distance symbol
+table which it overlays. That results in corrupted output due to
+invalid distances, and can result in out-of-bound accesses,
+crashing the application.
+
+The fix here combines the distance buffer and literal/length
+buffers into a single symbol buffer. Now three bytes of pending
+buffer space are opened up for each literal or length/distance
+pair consumed, instead of the previous two bytes. This assures
+that the pending buffer cannot overwrite the symbol table, since
+the maximum fixed code compressed length/distance is 31 bits, and
+since there are four bytes of pending space for every three bytes
+of symbol space.
+---
+ deflate.c | 74 ---
+ deflate.h | 25 +--
+ trees.c | 50 +++--
+ 3 files changed, 79 insertions(+), 70 deletions(-)
+
+diff --git a/deflate.c b/deflate.c
+index 425babc00c33..19cba873ae98 100644
+--- a/deflate.c
b/deflate.c
+@@ -255,11 +255,6 @@ int ZEXPORT deflateInit2_(strm, level, method,
windowBits, memLevel, strategy,
+ int wrap = 1;
+ static const char my_version[] = ZLIB_VERSION;
+
+-ushf *overlay;
+-/* We overlay pending_buf and d_buf+l_buf. This works since the average
+- * output size for (length,distance) codes is <= 24 bits.
+- */
+-
+ if (version == Z_NULL || version[0] != my_version[0] ||
+ stream_size != sizeof(z_stream)) {
+ return Z_VERSION_ERROR;
+@@ -329,9 +324,47 @@ int ZEXPORT deflateInit2_(strm, level, method,
windowBits, memLevel, strategy,
+
+ s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */
+
+-overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2);
+-s->pending_buf = (uchf *) overlay;
+-s->pending_buf_size = (ulg)s->lit_bufsize * (sizeof(ush)+2L);
++/* We overlay pending_buf and sym_buf. This works since the average size
++ * for length/distance pairs over any compressed block is assured to be 31
++ * bits or less.
++ *
++ * Analysis: The longest fixed codes are a length code of 8 bits plus 5
++ * extra bits, for lengths 131 to 257. The longest fixed distance codes
are
++ * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
++ * possible fixed-codes length/distance pair is then 31 bits total.
++ *
++ * sym_buf starts one-fourth of the way into pending_buf. So there are
++ * three bytes in sym_buf for every four bytes in pending_buf. Each symbol
++ * in sym_buf is three bytes -- two for the distance and one for the
++ * literal/length. As each symbol is consumed, the pointer to the next
++ * sym_buf value to read moves forward three bytes.