zlib: 1.2.12 -> 1.2.13

2024-12-13 17:23:08 +00:00 · 2022-10-15 20:12:24 +03:00 · 2022-10-15 20:12:24 +03:00 · 017b667099
commit 017b667099
parent 00e5a55909
4 changed files with 2 additions and 150 deletions
--- a/pkgs/development/libraries/zlib/CVE-2022-37434.patch
+++ b/pkgs/development/libraries/zlib/CVE-2022-37434.patch
@ -1,62 +0,0 @@
-From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
-From: Mark Adler <fork@madler.net>
-Date: Sat, 30 Jul 2022 15:51:11 -0700
-Subject: [PATCH] Fix a bug when getting a gzip header extra field with
- inflate().
-
-If the extra field was larger than the space the user provided with
-inflateGetHeader(), and if multiple calls of inflate() delivered
-the extra header data, then there could be a buffer overflow of the
-provided space. This commit assures that provided space is not
-exceeded.
---
- inflate.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/inflate.c b/inflate.c
-index 7be8c6366..7a7289749 100644
--- a/inflate.c
-+++ b/inflate.c
-@@ -763,9 +763,10 @@ int flush;
-                 copy = state->length;
-                 if (copy > have) copy = have;
-                 if (copy) {
-+                    len = state->head->extra_len - state->length;
-                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
-+                        state->head->extra != Z_NULL &&
-+                        len < state->head->extra_max) {
-                         zmemcpy(state->head->extra + len, next,
-                                 len + copy > state->head->extra_max ?
-                                 state->head->extra_max - len : copy);
-
-From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
-From: Mark Adler <fork@madler.net>
-Date: Mon, 8 Aug 2022 10:50:09 -0700
-Subject: [PATCH] Fix extra field processing bug that dereferences NULL
- state->head.
-
-The recent commit to fix a gzip header extra field processing bug
-introduced the new bug fixed here.
---
- inflate.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/inflate.c b/inflate.c
-index 7a7289749..2a3c4fe98 100644
--- a/inflate.c
-+++ b/inflate.c
-@@ -763,10 +763,10 @@ int flush;
-                 copy = state->length;
-                 if (copy > have) copy = have;
-                 if (copy) {
-                    len = state->head->extra_len - state->length;
-                     if (state->head != Z_NULL &&
-                         state->head->extra != Z_NULL &&
-                        len < state->head->extra_max) {
-+                        (len = state->head->extra_len - state->length) <
-+                            state->head->extra_max) {
-                         zmemcpy(state->head->extra + len, next,
-                                 len + copy > state->head->extra_max ?
-                                 state->head->extra_max - len : copy);
--- a/pkgs/development/libraries/zlib/comprehensive-crc-validation-for-wrong-implementations.patch
+++ b/pkgs/development/libraries/zlib/comprehensive-crc-validation-for-wrong-implementations.patch
@ -1,51 +0,0 @@
-From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
-From: Mark Adler <madler@alumni.caltech.edu>
-Date: Wed, 30 Mar 2022 11:14:53 -0700
-Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
-
-The previous releases of zlib were not sensitive to incorrect CRC
-inputs with bits set above the low 32. This commit restores that
-behavior, so that applications with such bugs will continue to
-operate as before.
---
- crc32.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/crc32.c b/crc32.c
-index a1bdce5c2..451887bc7 100644
--- a/crc32.c
-+++ b/crc32.c
-@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
- #endif /* DYNAMIC_CRC_TABLE */
- 
-     /* Pre-condition the CRC */
-    crc ^= 0xffffffff;
-+    crc = (~crc) & 0xffffffff;
- 
-     /* Compute the CRC up to a word boundary. */
-     while (len && ((z_size_t)buf & 7) != 0) {
-@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
- #endif /* DYNAMIC_CRC_TABLE */
- 
-     /* Pre-condition the CRC */
-    crc ^= 0xffffffff;
-+    crc = (~crc) & 0xffffffff;
- 
- #ifdef W
- 
-@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
- #ifdef DYNAMIC_CRC_TABLE
-     once(&made, make_crc_table);
- #endif /* DYNAMIC_CRC_TABLE */
-    return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
-+    return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
- }
- 
- /* ========================================================================= */
-@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
-     uLong crc2;
-     uLong op;
- {
-    return multmodp(op, crc1) ^ crc2;
-+    return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
- }
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@ -23,14 +23,14 @@ assert splitStaticOutput -> static;

 stdenv.mkDerivation (rec {
  pname = "zlib";
-  version = "1.2.12";
+  version = "1.2.13";

  src = fetchurl {
    urls =
      [ "https://www.zlib.net/fossils/zlib-${version}.tar.gz"  # stable archive path
        "mirror://sourceforge/libpng/zlib/${version}/zlib-${version}.tar.gz"
      ];
-    sha256 = "91844808532e5ce316b3c010929493c0244f3d37593afd6de04f71821d5136d9";
+    hash = "sha256-s6JN6XqP28g1uYMxaVAQMLiXcDG8tUs7OsE3QPhGqzA=";
  };

  postPatch = lib.optionalString stdenv.hostPlatform.isDarwin ''
@ -40,17 +40,6 @@ stdenv.mkDerivation (rec {
      --replace 'ARFLAGS="-o"' 'ARFLAGS="-r"'
  '';

-  patches = [
-    ./fix-configure-issue-cross.patch
-    # Starting zlib 1.2.12, zlib is stricter to incorrect CRC inputs
-    # with bits set above the low 32.
-    # see https://github.com/madler/zlib/issues/618
-    # TODO: remove the patch if upstream releases https://github.com/madler/zlib/commit/ec3df00224d4b396e2ac6586ab5d25f673caa4c2
-    # see https://github.com/NixOS/nixpkgs/issues/170539 for history.
-    ./comprehensive-crc-validation-for-wrong-implementations.patch
-    ./CVE-2022-37434.patch
-  ];
-
  strictDeps = true;
  outputs = [ "out" "dev" ]
    ++ lib.optional splitStaticOutput "static";
--- a/pkgs/development/libraries/zlib/fix-configure-issue-cross.patch
+++ b/pkgs/development/libraries/zlib/fix-configure-issue-cross.patch
@ -1,24 +0,0 @@
-From 05796d3d8d5546cf1b4dfe2cd72ab746afae505d Mon Sep 17 00:00:00 2001
-From: Mark Adler <madler@alumni.caltech.edu>
-Date: Mon, 28 Mar 2022 18:34:10 -0700
-Subject: [PATCH] Fix configure issue that discarded provided CC definition.
-
---
- configure | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/configure b/configure
-index 52ff4a04e..3fa3e8618 100755
--- a/configure
-+++ b/configure
-@@ -174,7 +174,10 @@ if test -z "$CC"; then
-   else
-     cc=${CROSS_PREFIX}cc
-   fi
-+else
-+  cc=${CC}
- fi
-+
- cflags=${CFLAGS-"-O3"}
- # to force the asm version use: CFLAGS="-O3 -DASMV" ./configure
- case "$cc" in