Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zlib for openSUSE:Factory checked in at 2026-04-25 21:35:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zlib (Old) and /work/SRC/openSUSE:Factory/.zlib.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zlib" Sat Apr 25 21:35:06 2026 rev:93 rq:1348790 version:1.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/zlib/zlib.changes 2024-02-28 19:44:27.220010280 +0100 +++ /work/SRC/openSUSE:Factory/.zlib.new.11940/zlib.changes 2026-04-25 21:35:07.016267922 +0200 @@ -1,0 +2,8 @@ +Mon Apr 20 13:32:34 UTC 2026 - Antonio Teixeira <[email protected]> + +- Fix CVE-2026-27171, infinite loop via the crc32_combine64 and + crc32_combine_gen64 functions due to missing checks for negative + lengths (bsc#1258392) + * CVE-2026-27171.patch + +------------------------------------------------------------------- New: ---- CVE-2026-27171.patch ----------(New B)---------- New: lengths (bsc#1258392) * CVE-2026-27171.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zlib.spec ++++++ --- /var/tmp/diff_new_pack.1bbED3/_old 2026-04-25 21:35:07.880303348 +0200 +++ /var/tmp/diff_new_pack.1bbED3/_new 2026-04-25 21:35:07.884303512 +0200 @@ -1,7 +1,7 @@ # # spec file for package zlib # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -48,6 +48,8 @@ # PATCh-FIX-SECURITY CVE-2023-45853.patch bsc#1216378 CVE-2023-45853 [email protected] # integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6 Patch12: CVE-2023-45853.patch +# PATCH-FIX-UPSTREAM CVE-2026-27171.patch bsc#1258392 CVE-2026-27171 [email protected] +Patch13: CVE-2026-27171.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: libtool ++++++ CVE-2026-27171.patch ++++++ >From ba829a458576d1ff0f26fc7230c6de816d1f6a77 Mon Sep 17 00:00:00 2001 From: Mark Adler <[email protected]> Date: Sun, 21 Dec 2025 18:17:56 -0800 Subject: [PATCH] Check for negative lengths in crc32_combine functions. Though zlib.h says that len2 must be non-negative, this avoids the possibility of an accidental infinite loop. --- crc32.c | 4 ++++ zlib.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/crc32.c b/crc32.c index 6c38f5c04..33d8c7953 100644 --- a/crc32.c +++ b/crc32.c @@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf, /* ========================================================================= */ uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) { + if (len2 < 0) + return 0; #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ @@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) { /* ========================================================================= */ uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) { + if (len2 < 0) + return 0; #ifdef DYNAMIC_CRC_TABLE once(&made, make_crc_table); #endif /* DYNAMIC_CRC_TABLE */ diff --git a/zlib.h b/zlib.h index f7aded9aa..2881da71c 100644 --- a/zlib.h +++ b/zlib.h @@ -1848,14 +1848,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2); seq1 and seq2 with lengths len1 and len2, CRC-32 check values were calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32 check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and - len2. len2 must be non-negative. + len2. len2 must be non-negative, otherwise zero is returned. */ /* ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2); Return the operator corresponding to length len2, to be used with - crc32_combine_op(). len2 must be non-negative. + crc32_combine_op(). len2 must be non-negative, otherwise zero is returned. */ ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
