Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601828 - <sys-libs/zlib-1.2.9: multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Summary: <sys-libs/zlib-1.2.9: multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
  Show dependency tree
 
Reported: 2016-12-06 16:17 UTC by Agostino Sarubbo
Modified: 2020-06-19 23:18 UTC (History)
1 user (show)

See Also:
Package list:
=sys-libs/zlib-1.2.11
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-12-06 16:17:44 UTC
From ${URL} :

Mozilla has asked Trail of Bits / TrustInSoft to audit zlib 
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib

which had some findings (1 medium, 4 low):

https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

extracting from the referenced document:

https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit

zlib SOS Fund Audit Fix Log
Identified Issues

Finding 1: Incompatible declarations for external linkage function deflate (Medium)
Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101
VERIFIED


Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low)
Mark Adler (zlib): [This] will remain as is. Yes, speed matters a great deal. The comment in
the report: "In the longer term, platform specific micro-optimizations should be deprecated.
These optimizations may no longer be necessary: modern compilers are much better at
optimizing and vectorizing code than they used to be." does not apply. This is not a
micro-optimization, and unless the compiler has the intelligence and creativity of a good
mathematician well-versed in discrete mathematics, can detect the application of Galois
Fields in the code, know somehow to postulate a theorem for an equivalent calculation over
GF(2) that will, in the end, improve the speed, prove that theorem, and then generate on its
own the additional tables to apply that theorem, then no, there is no way that a compiler is
coming up with that one.
UNRESOLVED:This issue remains under discussion to determine whether there is a way
which removes the mismatched pointer without affecting performance.


Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)
Fix: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
     https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
VERIFIED

Finding 4: Undefined left shift of negative number (Low)
Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
(This was already fixed on the development branch before being discovered.)
VERIFIED

Finding 5: Big-endian out-of-bounds pointer (Low)
Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
VERIFIED



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann gentoo-dev 2017-01-09 22:12:43 UTC
@ Maintainer(s): Thank you for the bump. Can we start stabilization of =sys-libs/zlib-1.2.10?
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-10 08:30:15 UTC
Arches please test and mark stable =sys-libs/zlib-1.2.10 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 3 Aaron Bauman gentoo-dev Security 2017-01-11 11:12:28 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-13 15:43:28 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 13:37:28 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2017-01-15 12:57:23 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-15 16:04:09 UTC
ppc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:20:51 UTC
Stable on alpha.
Comment 9 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-16 13:58:03 UTC
Remaining arches please continue stabilization in bug #605888
Comment 10 Thomas Deutschmann gentoo-dev 2017-01-16 13:59:56 UTC
@ Remaining arches,

please continue with =sys-libs/zlib-1.2.11 (bug #605888).
Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-16 16:50:43 UTC
commit 022998708261a545455af0b6ffb9e10be7ba9326
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Jan 16 17:50:16 2017

    sys-libs/zlib: Security cleanup (bug #601828).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 12 Thomas Deutschmann gentoo-dev 2017-01-16 18:58:49 UTC
New GLSA request filed.

Repository is clean.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-01-23 03:41:01 UTC
This issue was resolved and addressed in
 GLSA 201701-56 at https://security.gentoo.org/glsa/201701-56
by GLSA coordinator Aaron Bauman (b-man).