helium-3rd-party/poky
1
0
Fork 0
mirror of git://git.yoctoproject.org/poky synced 2026-04-02 02:49:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

zlib: Fix CVE-2026-27171

Browse Source 
Pick patch from [1] also mentioned in [2]

[1] https://github.com/madler/zlib/issues/904
[2] https://security-tracker.debian.org/tracker/CVE-2026-27171

(From OE-Core rev: cf95e20db688fb155ba0dc7968c816937190234f)

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Hugo SIMELIERE 2026-03-02 07:54:46 +01:00 committed by Richard Purdie
parent e254ea69aa
commit 5a3a169888
2 changed files with 64 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
meta/recipes-core/zlib/zlib/CVE-2026-27171.patch Normal file
View File

@ -0,0 +1,63 @@
From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
From: Mark Adler <git@madler.net>
Date: Sun, 21 Dec 2025 18:17:56 -0800
Subject: [PATCH] Check for negative lengths in crc32_combine functions.
Though zlib.h says that len2 must be non-negative, this avoids the
possibility of an accidental infinite loop.
Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
CVE: CVE-2026-27171
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
crc32.c | 4 ++++
zlib.h | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/crc32.c b/crc32.c
index 6c38f5c..33d8c79 100644
--- a/crc32.c
+++ b/crc32.c
@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
/* ========================================================================= */
uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
+ if (len2 < 0)
+ return 0;
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
/* ========================================================================= */
uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
+ if (len2 < 0)
+ return 0;
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
diff --git a/zlib.h b/zlib.h
index 8d4b932..8c7f8ac 100644
--- a/zlib.h
+++ b/zlib.h
@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32
check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
- len2. len2 must be non-negative.
+ len2. len2 must be non-negative, otherwise zero is returned.
*/
/*
ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
Return the operator corresponding to length len2, to be used with
- crc32_combine_op(). len2 must be non-negative.
+ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
*/
ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
--
2.43.0

1
meta/recipes-core/zlib/zlib_1.3.1.bb
View File

@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
SRC_URI = "https://zlib.net/${BP}.tar.gz \ SRC_URI = "https://zlib.net/${BP}.tar.gz \
file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \ file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
file://run-ptest \ file://run-ptest \
file://CVE-2026-27171.patch \
" "
UPSTREAM_CHECK_URI = "http://zlib.net/" UPSTREAM_CHECK_URI = "http://zlib.net/"