Bug#924509: marked as done (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843)
Your message dated Thu, 18 Apr 2019 17:32:53 +
with message-id
and subject line Bug#924509: fixed in rsync 3.1.2-1+deb9u2
has caused the Debian Bug report #924509,
regarding CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
924509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rsync
Version: 3.1.3-5
Severity: grave
Tags: security
rsync ships a local copy of zlib, which misses the security fixes for
CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843.
I've attached the respective upstream patches.
Also, let's revisit using the shared zlib copy for bullseye, please.
Cheers,
Moritz
>From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
From: Mark Adler
Date: Wed, 21 Sep 2016 23:35:50 -0700
Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined. Per the recommendation of a security audit of the
zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this tiny optimization was removed, in order
to avoid the possibility of undefined behavior.
---
inftrees.c | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/inftrees.c b/inftrees.c
index 22fcd666..0d2670d5 100644
--- a/inftrees.c
+++ b/inftrees.c
@@ -54,7 +54,7 @@ unsigned short FAR *work;
code FAR *next; /* next available space in table */
const unsigned short FAR *base; /* base value table to use */
const unsigned short FAR *extra;/* extra bits table to use */
-int end;/* use base and extra for symbol > end */
+unsigned match; /* use base and extra for symbol >= match */
unsigned short count[MAXBITS+1];/* number of codes of each length */
unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
static const unsigned short lbase[31] = { /* Length codes 257..285 base */
@@ -181,19 +181,17 @@ unsigned short FAR *work;
switch (type) {
case CODES:
base = extra = work;/* dummy value--not used */
-end = 19;
+match = 20;
break;
case LENS:
base = lbase;
-base -= 257;
extra = lext;
-extra -= 257;
-end = 256;
+match = 257;
break;
default:/* DISTS */
base = dbase;
extra = dext;
-end = -1;
+match = 0;
}
/* initialize state for loop */
@@ -216,13 +214,13 @@ unsigned short FAR *work;
for (;;) {
/* create table entry */
here.bits = (unsigned char)(len - drop);
-if ((int)(work[sym]) < end) {
+if (work[sym] + 1 < match) {
here.op = (unsigned char)0;
here.val = work[sym];
}
-else if ((int)(work[sym]) > end) {
-here.op = (unsigned char)(extra[work[sym]]);
-here.val = base[work[sym]];
+else if (work[sym] >= match) {
+here.op = (unsigned char)(extra[work[sym] - match]);
+here.val = base[work[sym] - match];
}
else {
here.op = (unsigned char)(32 + 64); /* end of block */
>From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
From: Mark Adler
Date: Wed, 21 Sep 2016 22:25:21 -0700
Subject: [PATCH] Use post-increment only in inffast.c.
An old inffast.c optimization turns out to not be optimal anymore
with modern compilers, and furthermore was not compliant with the
C standard, for which decrementing a pointer before its allocated
memory is undefined. Per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
---
inffast.c | 81 +--
1 file changed, 31 insertions(+), 50 deletions(-)
diff --git a/inffast.c b/inffast.c
index bda59ceb..f0d163db 100644
--- a/inffast.c
+++ b/inffast.c
@@ -10,25 +10,6 @@
#ifndef ASMINF
-/* Allow machine dependent optimization for post-increment or pre-increment.
- Based on testing to date,
- Pre-increment preferred for:
- - PowerPC G3 (Adler)
Bug#924509: marked as done (CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843)
Your message dated Fri, 15 Mar 2019 10:49:28 +
with message-id
and subject line Bug#924509: fixed in rsync 3.1.3-6
has caused the Debian Bug report #924509,
regarding CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
924509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rsync
Version: 3.1.3-5
Severity: grave
Tags: security
rsync ships a local copy of zlib, which misses the security fixes for
CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843.
I've attached the respective upstream patches.
Also, let's revisit using the shared zlib copy for bullseye, please.
Cheers,
Moritz
>From 6a043145ca6e9c55184013841a67b2fef87e44c0 Mon Sep 17 00:00:00 2001
From: Mark Adler
Date: Wed, 21 Sep 2016 23:35:50 -0700
Subject: [PATCH] Remove offset pointer optimization in inftrees.c.
inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined. Per the recommendation of a security audit of the
zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this tiny optimization was removed, in order
to avoid the possibility of undefined behavior.
---
inftrees.c | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/inftrees.c b/inftrees.c
index 22fcd666..0d2670d5 100644
--- a/inftrees.c
+++ b/inftrees.c
@@ -54,7 +54,7 @@ unsigned short FAR *work;
code FAR *next; /* next available space in table */
const unsigned short FAR *base; /* base value table to use */
const unsigned short FAR *extra;/* extra bits table to use */
-int end;/* use base and extra for symbol > end */
+unsigned match; /* use base and extra for symbol >= match */
unsigned short count[MAXBITS+1];/* number of codes of each length */
unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
static const unsigned short lbase[31] = { /* Length codes 257..285 base */
@@ -181,19 +181,17 @@ unsigned short FAR *work;
switch (type) {
case CODES:
base = extra = work;/* dummy value--not used */
-end = 19;
+match = 20;
break;
case LENS:
base = lbase;
-base -= 257;
extra = lext;
-extra -= 257;
-end = 256;
+match = 257;
break;
default:/* DISTS */
base = dbase;
extra = dext;
-end = -1;
+match = 0;
}
/* initialize state for loop */
@@ -216,13 +214,13 @@ unsigned short FAR *work;
for (;;) {
/* create table entry */
here.bits = (unsigned char)(len - drop);
-if ((int)(work[sym]) < end) {
+if (work[sym] + 1 < match) {
here.op = (unsigned char)0;
here.val = work[sym];
}
-else if ((int)(work[sym]) > end) {
-here.op = (unsigned char)(extra[work[sym]]);
-here.val = base[work[sym]];
+else if (work[sym] >= match) {
+here.op = (unsigned char)(extra[work[sym] - match]);
+here.val = base[work[sym] - match];
}
else {
here.op = (unsigned char)(32 + 64); /* end of block */
>From 9aaec95e82117c1cb0f9624264c3618fc380cecb Mon Sep 17 00:00:00 2001
From: Mark Adler
Date: Wed, 21 Sep 2016 22:25:21 -0700
Subject: [PATCH] Use post-increment only in inffast.c.
An old inffast.c optimization turns out to not be optimal anymore
with modern compilers, and furthermore was not compliant with the
C standard, for which decrementing a pointer before its allocated
memory is undefined. Per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior.
---
inffast.c | 81 +--
1 file changed, 31 insertions(+), 50 deletions(-)
diff --git a/inffast.c b/inffast.c
index bda59ceb..f0d163db 100644
--- a/inffast.c
+++ b/inffast.c
@@ -10,25 +10,6 @@
#ifndef ASMINF
-/* Allow machine dependent optimization for post-increment or pre-increment.
- Based on testing to date,
- Pre-increment preferred for:
- - PowerPC G3 (Adler)
- -
