Your message dated Thu, 18 Apr 2019 17:32:53 +0000
with message-id <[email protected]>
and subject line Bug#924509: fixed in rsync 3.1.2-1+deb9u2
has caused the Debian Bug report #924509,
regarding CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
924509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924509
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: rsync
Version: 3.1.3-5
Severity: grave
Tags: security

rsync ships a local copy of zlib, which misses the security fixes for
CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843.

I've attached the respective upstream patches.

Also, let's revisit using the shared zlib copy for bullseye, please.

Cheers,
        Moritz
>From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
From: Mark Adler <[email protected]>
Date: Wed, 21 Sep 2016 23:35:50 -0700
Subject: [PATCH] Remove offset pointer optimization in inftrees.c.

inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined. Per the recommendation of a security audit of the
zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this tiny optimization was removed, in order
to avoid the possibility of undefined behavior.
---
 inftrees.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/inftrees.c b/inftrees.c
index 22fcd666..0d2670d5 100644
--- a/inftrees.c
+++ b/inftrees.c
@@ -54,7 +54,7 @@ unsigned short FAR *work;
     code FAR *next;             /* next available space in table */
     const unsigned short FAR *base;     /* base value table to use */
     const unsigned short FAR *extra;    /* extra bits table to use */
-    int end;                    /* use base and extra for symbol > end */
+    unsigned match;             /* use base and extra for symbol >= match */
     unsigned short count[MAXBITS+1];    /* number of codes of each length */
     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
@@ -181,19 +181,17 @@ unsigned short FAR *work;
     switch (type) {
     case CODES:
         base = extra = work;    /* dummy value--not used */
-        end = 19;
+        match = 20;
         break;
     case LENS:
         base = lbase;
-        base -= 257;
         extra = lext;
-        extra -= 257;
-        end = 256;
+        match = 257;
         break;
     default:            /* DISTS */
         base = dbase;
         extra = dext;
-        end = -1;
+        match = 0;
     }
 
     /* initialize state for loop */
@@ -216,13 +214,13 @@ unsigned short FAR *work;
     for (;;) {
         /* create table entry */
         here.bits = (unsigned char)(len - drop);
-        if ((int)(work[sym]) < end) {
+        if (work[sym] + 1 < match) {
             here.op = (unsigned char)0;
             here.val = work[sym];
         }
-        else if ((int)(work[sym]) > end) {
-            here.op = (unsigned char)(extra[work[sym]]);
-            here.val = base[work[sym]];
+        else if (work[sym] >= match) {
+            here.op = (unsigned char)(extra[work[sym] - match]);
+            here.val = base[work[sym] - match];
         }
         else {
             here.op = (unsigned char)(32 + 64);         /* end of block */
>From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
From: Mark Adler <[email protected]>
Date: Wed, 21 Sep 2016 22:25:21 -0700
Subject: [PATCH] Use post-increment only in inffast.c.

An old inffast.c optimization turns out to not be optimal anymore
with modern compilers, and furthermore was not compliant with the
C standard, for which decrementing a pointer before its allocated
memory is undefined. Per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
---
 inffast.c | 81 +++++++++++++++++++++----------------------------------
 1 file changed, 31 insertions(+), 50 deletions(-)

diff --git a/inffast.c b/inffast.c
index bda59ceb..f0d163db 100644
--- a/inffast.c
+++ b/inffast.c
@@ -10,25 +10,6 @@
 
 #ifndef ASMINF
 
-/* Allow machine dependent optimization for post-increment or pre-increment.
-   Based on testing to date,
-   Pre-increment preferred for:
-   - PowerPC G3 (Adler)
-   - MIPS R5000 (Randers-Pehrson)
-   Post-increment preferred for:
-   - none
-   No measurable difference:
-   - Pentium III (Anderson)
-   - M68060 (Nikl)
- */
-#ifdef POSTINC
-#  define OFF 0
-#  define PUP(a) *(a)++
-#else
-#  define OFF 1
-#  define PUP(a) *++(a)
-#endif
-
 /*
    Decode literal, length, and distance codes and write out the resulting
    literal and match bytes until either not enough input or output is
@@ -96,9 +77,9 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
 
     /* copy state to local variables */
     state = (struct inflate_state FAR *)strm->state;
-    in = strm->next_in - OFF;
+    in = strm->next_in;
     last = in + (strm->avail_in - 5);
-    out = strm->next_out - OFF;
+    out = strm->next_out;
     beg = out - (start - strm->avail_out);
     end = out + (strm->avail_out - 257);
 #ifdef INFLATE_STRICT
@@ -119,9 +100,9 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
        input data or output space */
     do {
         if (bits < 15) {
-            hold += (unsigned long)(PUP(in)) << bits;
+            hold += (unsigned long)(*in++) << bits;
             bits += 8;
-            hold += (unsigned long)(PUP(in)) << bits;
+            hold += (unsigned long)(*in++) << bits;
             bits += 8;
         }
         here = lcode[hold & lmask];
@@ -134,14 +115,14 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
             Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
                     "inflate:         literal '%c'\n" :
                     "inflate:         literal 0x%02x\n", here.val));
-            PUP(out) = (unsigned char)(here.val);
+            *out++ = (unsigned char)(here.val);
         }
         else if (op & 16) {                     /* length base */
             len = (unsigned)(here.val);
             op &= 15;                           /* number of extra bits */
             if (op) {
                 if (bits < op) {
-                    hold += (unsigned long)(PUP(in)) << bits;
+                    hold += (unsigned long)(*in++) << bits;
                     bits += 8;
                 }
                 len += (unsigned)hold & ((1U << op) - 1);
@@ -150,9 +131,9 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
             }
             Tracevv((stderr, "inflate:         length %u\n", len));
             if (bits < 15) {
-                hold += (unsigned long)(PUP(in)) << bits;
+                hold += (unsigned long)(*in++) << bits;
                 bits += 8;
-                hold += (unsigned long)(PUP(in)) << bits;
+                hold += (unsigned long)(*in++) << bits;
                 bits += 8;
             }
             here = dcode[hold & dmask];
@@ -165,10 +146,10 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
                 dist = (unsigned)(here.val);
                 op &= 15;                       /* number of extra bits */
                 if (bits < op) {
-                    hold += (unsigned long)(PUP(in)) << bits;
+                    hold += (unsigned long)(*in++) << bits;
                     bits += 8;
                     if (bits < op) {
-                        hold += (unsigned long)(PUP(in)) << bits;
+                        hold += (unsigned long)(*in++) << bits;
                         bits += 8;
                     }
                 }
@@ -196,30 +177,30 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
 #ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
                         if (len <= op - whave) {
                             do {
-                                PUP(out) = 0;
+                                *out++ = 0;
                             } while (--len);
                             continue;
                         }
                         len -= op - whave;
                         do {
-                            PUP(out) = 0;
+                            *out++ = 0;
                         } while (--op > whave);
                         if (op == 0) {
                             from = out - dist;
                             do {
-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
                             } while (--len);
                             continue;
                         }
 #endif
                     }
-                    from = window - OFF;
+                    from = window;
                     if (wnext == 0) {           /* very common case */
                         from += wsize - op;
                         if (op < len) {         /* some from window */
                             len -= op;
                             do {
-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
                             } while (--op);
                             from = out - dist;  /* rest from output */
                         }
@@ -230,14 +211,14 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
                         if (op < len) {         /* some from end of window */
                             len -= op;
                             do {
-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
                             } while (--op);
-                            from = window - OFF;
+                            from = window;
                             if (wnext < len) {  /* some from start of window */
                                 op = wnext;
                                 len -= op;
                                 do {
-                                    PUP(out) = PUP(from);
+                                    *out++ = *from++;
                                 } while (--op);
                                 from = out - dist;      /* rest from output */
                             }
@@ -248,35 +229,35 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
                         if (op < len) {         /* some from window */
                             len -= op;
                             do {
-                                PUP(out) = PUP(from);
+                                *out++ = *from++;
                             } while (--op);
                             from = out - dist;  /* rest from output */
                         }
                     }
                     while (len > 2) {
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                        *out++ = *from++;
+                        *out++ = *from++;
                         len -= 3;
                     }
                     if (len) {
-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
                         if (len > 1)
-                            PUP(out) = PUP(from);
+                            *out++ = *from++;
                     }
                 }
                 else {
                     from = out - dist;          /* copy direct from output */
                     do {                        /* minimum length is three */
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
+                        *out++ = *from++;
+                        *out++ = *from++;
                         len -= 3;
                     } while (len > 2);
                     if (len) {
-                        PUP(out) = PUP(from);
+                        *out++ = *from++;
                         if (len > 1)
-                            PUP(out) = PUP(from);
+                            *out++ = *from++;
                     }
                 }
             }
@@ -313,8 +294,8 @@ unsigned start;         /* inflate()'s starting value for 
strm->avail_out */
     hold &= (1U << bits) - 1;
 
     /* update state and return */
-    strm->next_in = in + OFF;
-    strm->next_out = out + OFF;
+    strm->next_in = in;
+    strm->next_out = out;
     strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));
     strm->avail_out = (unsigned)(out < end ?
                                  257 + (end - out) : 257 - (out - end));
>From e54e1299404101a5a9d0cf5e45512b543967f958 Mon Sep 17 00:00:00 2001
From: Mark Adler <[email protected]>
Date: Sat, 5 Sep 2015 17:45:55 -0700
Subject: [PATCH] Avoid shifts of negative values inflateMark().

The C standard says that bit shifts of negative integers is
undefined.  This casts to unsigned values to assure a known
result.
---
 inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/inflate.c b/inflate.c
index 2889e3a0..a7184167 100644
--- a/inflate.c
+++ b/inflate.c
@@ -1506,9 +1506,10 @@ z_streamp strm;
 {
     struct inflate_state FAR *state;
 
-    if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
+    if (strm == Z_NULL || strm->state == Z_NULL)
+        return (long)(((unsigned long)0 - 1) << 16);
     state = (struct inflate_state FAR *)strm->state;
-    return ((long)(state->back) << 16) +
+    return (long)(((unsigned long)((long)state->back)) << 16) +
         (state->mode == COPY ? state->length :
             (state->mode == MATCH ? state->was - state->length : 0));
 }
>From d1d577490c15a0c6862473d7576352a9f18ef811 Mon Sep 17 00:00:00 2001
From: Mark Adler <[email protected]>
Date: Wed, 28 Sep 2016 20:20:25 -0700
Subject: [PATCH] Avoid pre-decrement of pointer in big-endian CRC calculation.

There was a small optimization for PowerPCs to pre-increment a
pointer when accessing a word, instead of post-incrementing. This
required prefacing the loop with a decrement of the pointer,
possibly pointing before the object passed. This is not compliant
with the C standard, for which decrementing a pointer before its
allocated memory is undefined. When tested on a modern PowerPC
with a modern compiler, the optimization no longer has any effect.
Due to all that, and per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
---
 crc32.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/crc32.c b/crc32.c
index 979a7190..05733f4e 100644
--- a/crc32.c
+++ b/crc32.c
@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
 }
 
 /* ========================================================================= */
-#define DOBIG4 c ^= *++buf4; \
+#define DOBIG4 c ^= *buf4++; \
         c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
             crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
 #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
     }
 
     buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
-    buf4--;
     while (len >= 32) {
         DOBIG32;
         len -= 32;
@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
         DOBIG4;
         len -= 4;
     }
-    buf4++;
     buf = (const unsigned char FAR *)buf4;
 
     if (len) do {

--- End Message ---
--- Begin Message ---
Source: rsync
Source-Version: 3.1.2-1+deb9u2

We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paul Slootman <[email protected]> (supplier of updated rsync package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Mar 2019 11:39:50 +0100
Source: rsync
Binary: rsync
Architecture: source amd64
Version: 3.1.2-1+deb9u2
Distribution: stretch
Urgency: medium
Maintainer: Paul Slootman <[email protected]>
Changed-By: Paul Slootman <[email protected]>
Description:
 rsync      - fast, versatile, remote (and local) file-copying tool
Closes: 924509
Changes:
 rsync (3.1.2-1+deb9u2) stretch; urgency=medium
 .
   * Apply CVEs from 2016 to the zlib code.
     closes:#924509
Checksums-Sha1:
 fc23350b3c6d096f251d0ee257fbc9a8beea439d 1717 rsync_3.1.2-1+deb9u2.dsc
 3f9f82ca8a504077891004fa53e521b11a13de62 31156 
rsync_3.1.2-1+deb9u2.debian.tar.xz
 6756128ce3de4fe3207eb80ba148028987edba1f 3940 
rsync_3.1.2-1+deb9u2_amd64.buildinfo
 7e4ceb4710774b47a62af76644dc5498181bd248 392836 rsync_3.1.2-1+deb9u2_amd64.deb
Checksums-Sha256:
 7ff035929408e160639c0d27c56ea910e561b5858da724ba1e88104855d8b065 1717 
rsync_3.1.2-1+deb9u2.dsc
 9c9b13658cf79ba0171337574365837f0b40696f0e615f794dbfecc2c562fc84 31156 
rsync_3.1.2-1+deb9u2.debian.tar.xz
 9e3c1b94f52659fdc87c338a298f617544ebee182bfede69f6a261e87c7123ab 3940 
rsync_3.1.2-1+deb9u2_amd64.buildinfo
 f2987623a6e5b5aedf56e679bedd2e6f7d54cdb4815ac4149c4d135da16ff9c2 392836 
rsync_3.1.2-1+deb9u2_amd64.deb
Files:
 b9da7b8c62dbb4560ee8a4538bcdcbe3 1717 net optional rsync_3.1.2-1+deb9u2.dsc
 53805697dc36229a898a06480b44c146 31156 net optional 
rsync_3.1.2-1+deb9u2.debian.tar.xz
 fb24df5e2c94379b2661a99dd168ff3e 3940 net optional 
rsync_3.1.2-1+deb9u2_amd64.buildinfo
 2007b698216542f2691ad5c2d4a0d564 392836 net optional 
rsync_3.1.2-1+deb9u2_amd64.deb
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyfNP08AZcbxb9VhpMveNzq0RO4sFAly0YxUACgkQMveNzq0R
O4sGOA/+NCZM+6eOLEZEr2YrqIx/9Dves0TSQyDUzCeNHpoX8VQ4Uroqc6N5XAnb
E5SaIGu0BvVn7AvK8p0ZZZZVXMi12gqffmzMn+aZDyHyPzYuG5ftLdvG363/OMRw
kechPtLLzOyvKKUpZfP6orRazDr/03BpYLJdAP6PmPhnyenQtMk4wC2cIrTc2yKo
z9KlAVGQLJGs+zihokUQIPtaSaDuiRawVktm4o6xiURF8tk5iPSdTGwcbdvnAh1I
nyejsf4D/3zPNZg8HaLl+vaHIFPThZCjMBWEh2Jp5VnUOdX33P0Ao+qP8DCCUefq
HkaZcfBFC/AbUs4c6mCX1L6OM8UCruzkWJ0efsjK44UV4ZKGkCoRemwjKsVpDMFt
fT+9Wur7ahQakNYYzk9in6YGhxAloiqcrXfIYMZaGbgVoB7y2VtK8gQKxSVExi4L
s6n0ZPbgBi06we+XutdQy3tEC+aXme1zLZSQaCnBekHCl6dDuKok5c8OJWSpihhP
LvwXO6noofyv0RU6uKOWF7mrI6nQGusFl3NzQ9WBMnMa3q1Wmd3jKHQuh8rf3dyY
E7pHbBcCyx3IIO2vHJBM3smvA7mu8tUahesHoH2IdJixihUvIueaNpUFokB4EOv7
z07Bs6j2uGcqggh4qFTKzJ2mZm3eRYS4Na7WsBYu7eBlTYjvkBg=
=Kdw1
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to