[OE-core][whinlatter][PATCH] zlib: Fix CVE-2026-27171

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [OE-core][whinlatter][PATCH] zlib: Fix CVE-2026-27171
@ 2026-02-20 14:21 hsimeliere.opensource
  2026-02-22 18:16 ` Yoann Congal
  0 siblings, 1 reply; 2+ messages in thread
From: hsimeliere.opensource @ 2026-02-20 14:21 UTC (permalink / raw)
  To: openembedded-core; +Cc: Hugo SIMELIERE, Bruno VERNAY

From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>

Upstream-Status: Backport from https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77

Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
---
 .../zlib/zlib/CVE-2026-27171.patch            | 63 +++++++++++++++++++
 meta/recipes-core/zlib/zlib_1.3.1.bb          |  1 +
 2 files changed, 64 insertions(+)
 create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch

diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
new file mode 100644
index 0000000000..e6a8a3eac5
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
@@ -0,0 +1,63 @@
+From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
+From: Mark Adler <git@madler.net>
+Date: Sun, 21 Dec 2025 18:17:56 -0800
+Subject: [PATCH] Check for negative lengths in crc32_combine functions.
+
+Though zlib.h says that len2 must be non-negative, this avoids the
+possibility of an accidental infinite loop.
+
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
+CVE: CVE-2026-27171
+
+Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
+---
+ crc32.c | 4 ++++
+ zlib.h  | 4 ++--
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index 6c38f5c..33d8c79 100644
+--- a/crc32.c
++++ b/crc32.c
+@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
++    if (len2 < 0)
++        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
+ 
+ /* ========================================================================= */
+ uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
++    if (len2 < 0)
++        return 0;
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+diff --git a/zlib.h b/zlib.h
+index 8d4b932..8c7f8ac 100644
+--- a/zlib.h
++++ b/zlib.h
+@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
+    seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
+    calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
+    check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
+-   len2. len2 must be non-negative.
++   len2. len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ /*
+ ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
+ 
+      Return the operator corresponding to length len2, to be used with
+-   crc32_combine_op(). len2 must be non-negative.
++   crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
+ */
+ 
+ ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
+-- 
+2.43.0
+
diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
index ef83142121..892467a1fb 100644
--- a/meta/recipes-core/zlib/zlib_1.3.1.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
 SRC_URI = "https://zlib.net/${BP}.tar.gz \
            file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
            file://run-ptest \
+           file://CVE-2026-27171.patch \
            "
 UPSTREAM_CHECK_URI = "http://zlib.net/"
 
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [OE-core][whinlatter][PATCH] zlib: Fix CVE-2026-27171
  2026-02-20 14:21 [OE-core][whinlatter][PATCH] zlib: Fix CVE-2026-27171 hsimeliere.opensource
@ 2026-02-22 18:16 ` Yoann Congal
  0 siblings, 0 replies; 2+ messages in thread
From: Yoann Congal @ 2026-02-22 18:16 UTC (permalink / raw)
  To: hsimeliere.opensource, openembedded-core; +Cc: Bruno VERNAY

Hello,

On Fri Feb 20, 2026 at 3:21 PM CET, Hugo Simeliere via lists.openembedded.org wrote:
> From: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
>

Thanks for the patch. But the commit message needs improvement: Please
add a justification as to why you think this particular patch fixes this
CVE: Cited in the NVD report? upstream? another source?

> Upstream-Status: Backport from https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77
This marker is not useful outside of a added patch (like your
CVE-2026-27171.patch) : you can remove it.

Obviously, that also applies to the whinlatter patch.

Thanks!

>
> Signed-off-by: Bruno VERNAY <bruno.vernay@se.com>
> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
> ---
>  .../zlib/zlib/CVE-2026-27171.patch            | 63 +++++++++++++++++++
>  meta/recipes-core/zlib/zlib_1.3.1.bb          |  1 +
>  2 files changed, 64 insertions(+)
>  create mode 100644 meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
>
> diff --git a/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
> new file mode 100644
> index 0000000000..e6a8a3eac5
> --- /dev/null
> +++ b/meta/recipes-core/zlib/zlib/CVE-2026-27171.patch
> @@ -0,0 +1,63 @@
> +From f234bdf5c0f94b681312452fcd5e36968221fa04 Mon Sep 17 00:00:00 2001
> +From: Mark Adler <git@madler.net>
> +Date: Sun, 21 Dec 2025 18:17:56 -0800
> +Subject: [PATCH] Check for negative lengths in crc32_combine functions.
> +
> +Though zlib.h says that len2 must be non-negative, this avoids the
> +possibility of an accidental infinite loop.
> +
> +Upstream-Status: Backport [https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77]
> +CVE: CVE-2026-27171
> +
> +Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
> +---
> + crc32.c | 4 ++++
> + zlib.h  | 4 ++--
> + 2 files changed, 6 insertions(+), 2 deletions(-)
> +
> +diff --git a/crc32.c b/crc32.c
> +index 6c38f5c..33d8c79 100644
> +--- a/crc32.c
> ++++ b/crc32.c
> +@@ -1019,6 +1019,8 @@ unsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,
> + 
> + /* ========================================================================= */
> + uLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {
> ++    if (len2 < 0)
> ++        return 0;
> + #ifdef DYNAMIC_CRC_TABLE
> +     once(&made, make_crc_table);
> + #endif /* DYNAMIC_CRC_TABLE */
> +@@ -1032,6 +1034,8 @@ uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {
> + 
> + /* ========================================================================= */
> + uLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {
> ++    if (len2 < 0)
> ++        return 0;
> + #ifdef DYNAMIC_CRC_TABLE
> +     once(&made, make_crc_table);
> + #endif /* DYNAMIC_CRC_TABLE */
> +diff --git a/zlib.h b/zlib.h
> +index 8d4b932..8c7f8ac 100644
> +--- a/zlib.h
> ++++ b/zlib.h
> +@@ -1758,14 +1758,14 @@ ZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);
> +    seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
> +    calculated for each, crc1 and crc2.  crc32_combine() returns the CRC-32
> +    check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
> +-   len2. len2 must be non-negative.
> ++   len2. len2 must be non-negative, otherwise zero is returned.
> + */
> + 
> + /*
> + ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);
> + 
> +      Return the operator corresponding to length len2, to be used with
> +-   crc32_combine_op(). len2 must be non-negative.
> ++   crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
> + */
> + 
> + ZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);
> +-- 
> +2.43.0
> +
> diff --git a/meta/recipes-core/zlib/zlib_1.3.1.bb b/meta/recipes-core/zlib/zlib_1.3.1.bb
> index ef83142121..892467a1fb 100644
> --- a/meta/recipes-core/zlib/zlib_1.3.1.bb
> +++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
> @@ -10,6 +10,7 @@ LIC_FILES_CHKSUM = "file://zlib.h;beginline=6;endline=23;md5=5377232268e952e9ef6
>  SRC_URI = "https://zlib.net/${BP}.tar.gz \
>             file://0001-configure-Pass-LDFLAGS-to-link-tests.patch \
>             file://run-ptest \
> +           file://CVE-2026-27171.patch \
>             "
>  UPSTREAM_CHECK_URI = "http://zlib.net/"
>  


-- 
Yoann Congal
Smile ECS



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-02-22 18:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 14:21 [OE-core][whinlatter][PATCH] zlib: Fix CVE-2026-27171 hsimeliere.opensource
2026-02-22 18:16 ` Yoann Congal

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox