Fix CVE-2022-37434

2022-08-18 18:36:48 +08:00 · 2022-08-18 18:36:48 +08:00 · c2ca1c6fb6
commit c2ca1c6fb6
parent cdc3a24b48
3 changed files with 74 additions and 15 deletions
--- a/backport-A-fix-for-the-zlib-fix.patch
+++ b/backport-A-fix-for-the-zlib-fix.patch
@ -0,0 +1,26 @@
+From 9e2921fce8c518e370c324407d35bc83ba12f2d5 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Mon, 8 Aug 2022 20:05:10 -0700
+Subject: [PATCH] A fix for the zlib fix.
+
+---
+ zlib/inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/zlib/inflate.c b/zlib/inflate.c
+index d15132ea..e9840b67 100644
+--- a/zlib/inflate.c
+++ b/zlib/inflate.c
+@@ -739,10 +739,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+-                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+                         state->head->extra != Z_NULL &&
+-                        len < state->head->extra_max) {
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
--- a/backport-CVE-2022-37434.patch
+++ b/backport-CVE-2022-37434.patch
@ -0,0 +1,28 @@
+From 788f11ea6afeb96f0d84f140192165a1ca12ade4 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Sun, 7 Aug 2022 09:27:57 -0700
+Subject: [PATCH] Fix zlib bug with a large gzip header extra field
+
+From zlib commit eff308af425b67093bab25f80f1ae950166bece1.
+Fixes CVE-2022-37434.
+---
+ zlib/inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/zlib/inflate.c b/zlib/inflate.c
+index e43abd9e0..d15132eaf 100644
+--- a/zlib/inflate.c
+++ b/zlib/inflate.c
+@@ -739,9 +739,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
--- a/rsync.spec
+++ b/rsync.spec
@ -1,6 +1,6 @@
 Name:           rsync
 Version:        3.1.3
-Release:        7
+Release:        8
 Summary:        Fast incremental file transfer utility
 License:        GPLv3+
 URL:            http://rsync.samba.org/
@ -19,20 +19,22 @@ Obsoletes:      rsync-daemon

 Patch0:         rsync-man.patch
 Patch1:         rsync-noatime.patch
-Patch6000:      Avoid-a-compiler-error-warning-about-shifting-a-nega.patch
-Patch6001:      Need-to-mark-xattr-rules-in-get_rule_prefix.patch
-Patch6002:      Fix-itemizing-of-wrong-dir-name-on-some-iconv-transf.patch
-Patch6003:      Avoid-a-potential-out-of-bounds-read-in-daemon-mode-.patch
-Patch6004:      Avoid-leaving-a-file-open-on-error-return.patch
-Patch6005:      Fix-remove-source-files-sanity-check-w-copy-links-th.patch
-Patch6006:      Fix-zlib-CVE-2016-9840.patch
-Patch6007:      Fix-zlib-CVE-2016-9841.patch
-Patch6008:      Fix-zlib-CVE-2016-9842.patch
-Patch6009:      Fix-zlib-CVE-2016-9843.patch
-Patch6010:      Fix-bug-in-try_dests_reg-that-Florian-Zumbiehl-point.patch
-Patch6011:      Try-to-fix-the-iconv-crash-in-bug-11338.patch
-Patch6012:      CVE-2017-17433.patch
-Patch6013:      backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch 
+Patch2:         Avoid-a-compiler-error-warning-about-shifting-a-nega.patch
+Patch3:         Need-to-mark-xattr-rules-in-get_rule_prefix.patch
+Patch4:         Fix-itemizing-of-wrong-dir-name-on-some-iconv-transf.patch
+Patch5:         Avoid-a-potential-out-of-bounds-read-in-daemon-mode-.patch
+Patch6:         Avoid-leaving-a-file-open-on-error-return.patch
+Patch7:         Fix-remove-source-files-sanity-check-w-copy-links-th.patch
+Patch8:         Fix-zlib-CVE-2016-9840.patch
+Patch9:         Fix-zlib-CVE-2016-9841.patch
+Patch10:        Fix-zlib-CVE-2016-9842.patch
+Patch11:        Fix-zlib-CVE-2016-9843.patch
+Patch12:        Fix-bug-in-try_dests_reg-that-Florian-Zumbiehl-point.patch
+Patch13:        Try-to-fix-the-iconv-crash-in-bug-11338.patch
+Patch14:        CVE-2017-17433.patch
+Patch15:        backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch 
+Patch16:        backport-CVE-2022-37434.patch
+Patch17:        backport-A-fix-for-the-zlib-fix.patch

 %description
 Rsync is an open source utility that provides fast incremental file transfer.
@ -91,6 +93,9 @@ install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
 %{_mandir}/man5/rsyncd.conf.5*

 %changelog
+* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.1.3-8
+- Fix CVE-2022-37434
+
 * Mon Dec 20 2021 yangzhuangzhuang<yangzhuangzhuang1@huawei.com> - 3.1.3-7
 - Type:bugfix
 - ID:NA