head 1.6; access; symbols OPENPKG_E1_MP_HEAD:1.6 OPENPKG_E1_MP:1.6 OPENPKG_E1_MP_2_STABLE:1.6 OPENPKG_E1_FP:1.6 OPENPKG_2_STABLE_20061018:1.6 OPENPKG_2_STABLE:1.6.0.4 OPENPKG_2_STABLE_BP:1.6 OPENPKG_2_5_SOLID:1.6.0.2 OPENPKG_2_5_SOLID_BP:1.6 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.4 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_2_3_RELEASE:1.4 OPENPKG_2_3_SOLID:1.4.0.2 OPENPKG_2_3_SOLID_BP:1.4 OPENPKG_2_2_RELEASE:1.3 OPENPKG_2_2_SOLID:1.3.0.2 OPENPKG_2_2_SOLID_BP:1.3 OPENPKG_2_1_RELEASE:1.1 OPENPKG_2_1_SOLID:1.1.0.10 OPENPKG_2_1_SOLID_BP:1.1 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.8 OPENPKG_2_0_SOLID_BP:1.1 OPENPKG_1_3_RELEASE:1.1.2.1 OPENPKG_1_3_SOLID:1.1.2.1.0.2 OPENPKG_1_3_SOLID_BP:1.1.2.1 OPENPKG_1_STABLE_MP:1.1 OPENPKG_1_1_SOLID:1.1.0.6 OPENPKG_1_2_SOLID:1.1.0.4 OPENPKG_1_STABLE:1.1.0.2; locks; strict; comment @# @; 1.6 date 2005.07.22.06.24.46; author rse; state dead; branches; next 1.5; 1.5 date 2005.07.06.16.43.23; author rse; state Exp; branches; next 1.4; 1.4 date 2004.12.06.06.21.20; author rse; state dead; branches 1.4.2.1 1.4.4.1; next 1.3; 1.3 date 2004.08.25.10.49.00; author rse; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2004.08.25.10.18.40; author rse; state dead; branches; next 1.1; 1.1 date 2003.02.27.14.29.39; author rse; state Exp; branches 1.1.2.1 1.1.4.1 1.1.6.1 1.1.8.1 1.1.10.1; next ; 1.4.2.1 date 2005.07.06.16.47.32; author rse; state Exp; branches; next 1.4.2.2; 1.4.2.2 date 2005.07.28.06.22.17; author rse; state Exp; branches; next ; 1.4.4.1 date 2005.07.06.16.45.22; author rse; state Exp; branches; next 1.4.4.2; 1.4.4.2 date 2005.07.28.06.20.06; author rse; state Exp; branches; next ; 1.3.2.1 date 2005.07.06.16.49.15; author rse; state Exp; branches; next ; 1.1.2.1 date 2003.03.04.11.56.04; author rse; state Exp; branches; next ; 1.1.4.1 date 2003.03.04.11.59.05; author rse; state Exp; branches; next ; 1.1.6.1 date 2003.03.04.12.02.04; author rse; state Exp; branches; next ; 1.1.8.1 date 2004.08.25.10.52.59; author rse; state dead; branches; next 1.1.8.2; 1.1.8.2 date 2004.08.25.10.53.50; author rse; state Exp; branches; next ; 1.1.10.1 date 2004.08.25.10.49.36; author rse; state dead; branches; next 1.1.10.2; 1.1.10.2 date 2004.08.25.10.50.48; author rse; state Exp; branches; next ; desc @@ 1.6 log @upgrading package: zlib 1.2.2 -> 1.2.3 @ text @Index: inftrees.c --- inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.5 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @@ 1.4 log @modifying package: zlib-1.2.2 20041206 again @ text @d1 10 a10 8 Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): Index: infback.c --- infback.c.orig 2003-08-12 01:48:06 +0200 +++ infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } d12 1 a12 19 + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: inflate.c --- inflate.c.orig 2003-10-26 07:15:36 +0100 +++ inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.4.2.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @d1 8 a8 10 Index: inftrees.c --- inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ d10 19 a28 1 /* generate offsets into symbol table for each length for sorting */ @ 1.4.2.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @a0 2 Security Bugfix (OpenPKG-SA-2005.013-zlib; CAN-2005-2096) a12 23 Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) Index: inftrees.h --- inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.4.4.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @d1 8 a8 10 Index: inftrees.c --- inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ d10 19 a28 1 /* generate offsets into symbol table for each length for sorting */ @ 1.4.4.2 log @Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) @ text @a0 2 Security Bugfix (OpenPKG-SA-2005.013-zlib; CAN-2005-2096) a12 23 Security Bugfix (OpenPKG-SA-2005.014-zlib; CAN-2005-1849) Index: inftrees.h --- inftrees.h.orig 2003-08-11 00:15:50 +0200 +++ inftrees.h 2005-07-11 08:50:37 +0200 @@@@ -36,12 +36,12 @@@@ */ /* Maximum size of dynamic tree. The maximum found in a long but non- - exhaustive search was 1004 code structures (850 for length/literals - and 154 for distances, the latter actually the result of an + exhaustive search was 1444 code structures (852 for length/literals + and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ -#define ENOUGH 1440 -#define MAXD 154 +#define ENOUGH 2048 +#define MAXD 592 /* Type of code to build for inftable() */ typedef enum { @ 1.3 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @@ 1.3.2.1 log @Fix zlib security issue (OpenPKG-SA-2005.013, CAN-2005-2096) @ text @a28 15 Security Bugfixes (CAN-2005-2096, OpenPKG-SA-2005.013-zlib): Index: inftrees.c --- inftrees.c.orig 2004-09-15 16:30:06 +0200 +++ inftrees.c 2005-07-06 18:31:14 +0200 @@@@ -134,7 +134,7 @@@@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || (codes - count[0] != 1))) + if (left > 0 && (type == CODES || max != 1)) return -1; /* incomplete set */ /* generate offsets into symbol table for each length for sorting */ @ 1.2 log @why is this still unused patch still floating around in CURRENT? Remove it.... @ text @d1 1 a1 7 This patch fixes security holes caused by potential buffer overflows in the implementation of the gzprintf() function in zlib 1.1.4. The security holes are fixed for platforms providing vsnprintf(3) and snprintf(3) only. This patch is derived from a prepared security patch, originally created by Kelledin . The OpenPKG project reduced the patch in size and fixed the configuration checks. d3 6 a8 6 diff -ru3 zlib-1.1.4.orig/configure zlib-1.1.4/configure --- zlib-1.1.4.orig/configure Wed Jul 8 20:19:35 1998 +++ zlib-1.1.4/configure Thu Feb 27 15:14:54 2003 @@@@ -155,7 +155,212 @@@@ echo "Checking for unistd.h... No." fi d10 2 a11 4 -cat > $test.c <$test.c < +#include d13 12 a24 117 +#if (defined(__MSDOS__) || defined(_WINDOWS) || defined(_WIN32) || defined(__WIN32__) || defined(WIN32) || defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)) && !defined(STDC) +# define STDC +#endif + +int main() +{ +#ifndef STDC + choke me +#endif + + return 0; +} +EOF + +if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + echo "Checking whether to use vsnprintf() or snprintf()... using vsnprintf()" + + cat >$test.c < +#include + +int mytest(char *fmt, ...) +{ + char buf[20]; + va_list ap; + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + return 0; +} + +int main() +{ + return (mytest("Hello%d\n", 1)); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_vsnprintf" + echo "Checking for vsnprintf() in stdio.h... Yes." + + cat >$test.c < +#include + +int mytest(char *fmt, ...) +{ + int i; + char buf[20]; + va_list ap; + + va_start(ap, fmt); + i = vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + return 0; +} + +int main() +{ + return (mytest("Hello%d\n", 1)); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_vsnprintf_return" + echo "Checking for return value of vsnprintf()... Yes." + else + echo "Checking for return value of vsnprintf()... No." + echo " WARNING: apparently vsnprintf() does not return a value. zlib" + echo " can build but will be open to possible string-format security" + echo " vulnerabilities." + fi + else + echo "Checking for vsnprintf() in stdio.h... No." + echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib" + echo " can build but will be open to possible buffer-overflow security" + echo " vulnerabilities." + + cat >$test.c < +#include + +int mytest(char *fmt, ...) +{ + int i; + char buf[20]; + va_list ap; + + va_start(ap, fmt); + i = vsprintf(buf, fmt, ap); + va_end(ap); + return 0; +} + +int main() +{ + return (mytest("Hello%d\n", 1)); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_vsprintf_return" + echo "Checking for return value of vsprintf()... Yes." + else + echo "Checking for return value of vsprintf()... No." + echo " WARNING: apparently vsprintf() does not return a value. zlib" + echo " can build but will be open to possible string-format security" + echo " vulnerabilities." + fi + fi +else + echo "Checking whether to use vsnprintf() or snprintf()... using snprintf()" + + cat >$test.c < +#include d26 3 a28 156 +int mytest() +{ + char buf[20]; + + snprintf(buf, sizeof(buf), "%s", "foo"); + return 0; +} + +int main() +{ + return (mytest()); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_snprintf" + echo "Checking for snprintf() in stdio.h... Yes." + + cat >$test.c < +#include + +int mytest(char *fmt, ...) +{ + int i; + char buf[20]; + + i = snprintf(buf, sizeof(buf), "%s", "foo"); + return 0; +} + +int main() +{ + return (mytest()); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_snprintf_return" + echo "Checking for return value of snprintf()... Yes." + else + echo "Checking for return value of snprintf()... No." + echo " WARNING: apparently snprintf() does not return a value. zlib" + echo " can build but will be open to possible string-format security" + echo " vulnerabilities." + fi + else + echo "Checking for snprintf() in stdio.h... No." + echo " WARNING: snprintf() not found, falling back to sprintf(). zlib" + echo " can build but will be open to possible buffer-overflow security" + echo " vulnerabilities." + + cat >$test.c < +#include + +int mytest(char *fmt, ...) +{ + int i; + char buf[20]; + + i = sprintf(buf, "%s", "foo"); + return 0; +} + +int main() +{ + return (mytest()); +} +EOF + + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then + CFLAGS="$CFLAGS -DHAS_sprintf_return" + echo "Checking for return value of sprintf()... Yes." + else + echo "Checking for return value of sprintf()... No." + echo " WARNING: apparently sprintf() does not return a value. zlib" + echo " can build but will be open to possible string-format security" + echo " vulnerabilities." + fi + fi +fi + +cat >$test.c < int main() { return 0; } EOF diff -ru3 zlib-1.1.4.orig/gzio.c zlib-1.1.4/gzio.c --- zlib-1.1.4.orig/gzio.c Mon Mar 11 14:16:01 2002 +++ zlib-1.1.4/gzio.c Thu Feb 27 14:29:26 2003 @@@@ -530,13 +530,31 @@@@ va_start(va, format); #ifdef HAS_vsnprintf +# ifdef HAS_vsnprintf_return + len = vsnprintf(buf, sizeof(buf), format, va); + va_end(va); + if (len <= 0 || len >= sizeof(buf)) + return 0; +# else (void)vsnprintf(buf, sizeof(buf), format, va); + va_end(va); + len = strlen(buf); + if (len <= 0) + return 0; +# endif #else +# ifdef HAS_vsprintf_return + len = vsprintf(buf, format, va); + va_end(va); + if (len <= 0 || len >= sizeof(buf)) + return 0; +# else (void)vsprintf(buf, format, va); -#endif va_end(va); len = strlen(buf); /* some *sprintf don't return the nb of bytes written */ if (len <= 0) return 0; +# endif +#endif return gzwrite(file, buf, (unsigned)len); } @@@@ -553,14 +571,31 @@@@ int len; #ifdef HAS_snprintf +# ifdef HAS_snprintf_return + len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); + if (len <= 0 || len >= sizeof(buf)) + return 0; +# else snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); + len = strlen(buf); + if (len <= 0) + return 0; +# endif #else +# ifdef HAS_sprintf_return + len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); + if (len <= 0 || len >= sizeof(buf)) + return 0; +# else sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20); -#endif len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */ if (len <= 0) return 0; +# endif +#endif return gzwrite(file, buf, len); } @ 1.1 log @apply security bugfix @ text @@ 1.1.8.1 log @remove already unused patch @ text @@ 1.1.8.2 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @d1 7 a7 1 Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): d9 6 a14 6 Index: infback.c --- infback.c.orig 2003-08-12 01:48:06 +0200 +++ infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } d16 4 a19 2 + if (state->mode == BAD) + break; d21 209 a229 9 /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: inflate.c --- inflate.c.orig 2003-10-26 07:15:36 +0100 +++ inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } d231 64 a294 6 + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.1.10.1 log @remove already unused patch @ text @@ 1.1.10.2 log @Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib) @ text @d1 7 a7 1 Security Bugfixes (CAN-2004-0797, OpenPKG-SA-2004.038-zlib): d9 6 a14 6 Index: infback.c --- infback.c.orig 2003-08-12 01:48:06 +0200 +++ infback.c 2004-08-25 12:37:07 +0200 @@@@ -434,6 +434,9 @@@@ } } d16 4 a19 2 + if (state->mode == BAD) + break; d21 209 a229 9 /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); Index: inflate.c --- inflate.c.orig 2003-10-26 07:15:36 +0100 +++ inflate.c 2004-08-25 12:37:07 +0200 @@@@ -861,6 +861,9 @@@@ } } d231 64 a294 6 + if (state->mode == BAD) + break; + /* build code tables */ state->next = state->codes; state->lencode = (code const FAR *)(state->next); @ 1.1.6.1 log @MFS: security patch (related to OpenPKG-SA-2003.015-zlib) @ text @@ 1.1.4.1 log @MFS: security patch (related to OpenPKG-SA-2003.015-zlib) @ text @@ 1.1.2.1 log @MFC: security patch (related to OpenPKG-SA-2003.015-zlib) @ text @@