Commit Graph

26 Commits

Author SHA1 Message Date
Nick Hainke
de79a0a9e0 zlib: update to 1.2.13
Remove "001-neon-implementation-of-adler32.patch" because upstreamed
deleted assembler code optimizations:
d0704a8201

Remove upstreamed patches:
- 006-fix-CVE-2022-37434.patch
- 007-fix-null-dereference-in-fix-CVE-2022-37434.patch

Refresh patches:
- 002-arm-specific-optimisations-for-inflate.patch
- 003-arm-specific-optimisations-for-inflate.patch
- 004-attach-sourcefiles-in-patch-002-to-buildsystem.patch

Switch to "https github.com" for downloading source files.

Release Announcements:
https://github.com/madler/zlib/releases/tag/v1.2.13

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-13 20:47:57 +01:00
Petr Štetiar
f443e9de70 zlib: backport null dereference fix
The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795d4c ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.

References: https://github.com/curl/curl/issues/9271
Fixes: 7df6795d4c ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-09 08:08:08 +02:00
Petr Štetiar
7df6795d4c zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common
applications bundle the affected zlib source code but may be unable to
call inflateGetHeader.

Fixes: CVE-2022-37434
References: https://github.com/ivd38/zlib_overflow
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-06 15:00:08 +02:00
Petr Štetiar
3eb777e180 libs/zlib: fix implicit function declaration warning
Fixes following warning:

 adler32.c:141:12: warning: implicit declaration of function 'NEON_adler32' [-Wimplicit-function-declaration]
   141 |     return NEON_adler32(adler, buf, len);

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-28 09:27:56 +02:00
Petr Štetiar
8839a939ee libs/zlib: bump to latest stable release 1.2.12 (CVE-2018-25032)
List of changes since previous release from 2018 is quite long:

 * Fix crc32.c to compile local functions only if used.
 * Check for cc masquerading as gcc or clang in configure.
 * Remove destructive aspects of make distclean.
 * Separate out address sanitizing from warnings in configure.
 * Eliminate use of ULL constants.
 * Add fallthrough comments for gcc.
 * Clean up minizip to reduce warnings for testing.
 * Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
 * minizip warning fix if MAXU32 already defined. (gvollant)
 * Replace black/white with allow/block. (theresa-m)
 * Fix indentation in minizip's zip.c.
 * Improve portability of contrib/minizip.
 * Correct typo in blast.c.
 * Change macro name in inflate.c to avoid collision in VxWorks.
 * Clarify gz* function interfaces, referring to parameter names.
 * Fix error in comment on the polynomial representation of a byte.
 * Fix memory leak on error in gzlog.c.
 * Avoid adding empty gzip member after gzflush with Z_FINISH.
 * Explicitly note that the 32-bit check values are 32 bits.
 * Use ARM crc32 instructions if the ARM architecture has them.
 * Add use of the ARMv8 crc32 instructions when requested.
 * Correct comment in crc32.c.
 * Don't bother computing check value after successful inflateSync().
 * Use atomic test and set, if available, for dynamic CRC tables.
 * Speed up software CRC-32 computation by a factor of 1.5 to 3.
 * Add crc32_combine_gen() and crc32_combine_op() for fast combines.
 * Add tables for crc32_combine(), to speed it up by a factor of 200.
 * Fix the zran.c example to work on a multiple-member gzip file.
 * Add gznorm.c example, which normalizes gzip files.
 * Show all the codes for the maximum tables size in enough.c.
 * Clarify that prefix codes are counted in enough.c.
 * Use inline function instead of macro for index in enough.c.
 * Clean up code style in enough.c, update version.
 * Use a macro for the printf format of big_t in enough.c.
 * Use a structure to make globals in enough.c evident.
 * Assure that the number of bits for deflatePrime() is valid.
 * Fix a bug that can crash deflate on some input when using Z_FIXED.
 * Correct the initialization requirements for deflateInit2().
 * Emphasize the need to continue decompressing gzip members.
 * Add legal disclaimer to README.
 * Fix deflateEnd() to not report an error at start of raw deflate.
 * Remove old assembler code in which bugs have manifested.
 * Make the names in functions declarations identical to definitions.
 * Avoid an undefined behavior of memcpy() in _tr_stored_block().
 * Avoid undefined behaviors of memcpy() in gz*printf().
 * Avoid an undefined behavior of memcpy() in gzappend().
 * Avoid the use of ptrdiff_t.
 * Handle case where inflateSync used when header never processed.
 * Don't compute check value for raw inflate if asked to validate.
 * Add address checking in clang to -w option of configure.
 * Return an error if the gzputs string length can't fit in an int.
 * Small speedup to inflate [psumbera].
 * Update use of errno for newer Windows CE versions.
 * Avoid some conversion warnings in gzread.c and gzwrite.c.
 * Have Makefile return non-zero error code on test failure.
 * Avoid a conversion error in gzseek when off_t type too small.
 * Fix CLEAR_HASH macro to be usable as a single statement.
 * Fix bug when window full in deflate_stored().
 * Limit hash table inserts after switch from stored deflate.
 * Permit a deflateParams() parameter change as soon as possible.
 * Cygwin does not have _wopen(), so do not create gzopen_w() there.

Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.

This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.

Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-28 09:27:56 +02:00
Petr Štetiar
b3aa2909a7 zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-24 08:15:24 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Jeffery To
782eda9750 zlib: Use relative paths in pkg-config metadata file
The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix
and exec_prefix variables in *.pc files, to supply the correct
(buildroot) paths for callers. If other variables are not defined
relative to prefix and exec_prefix, then the returned values will be
incorrect.

The default zlib.pc file generated by cmake contains absolute paths.
This patches the file to use relative paths (relative to ${prefix} and
${exec_prefix}).

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-05-17 21:41:43 +02:00
Hauke Mehrtens
8dcd941d8b tools/zlib: move zlib build to tools
This allows us to link the other tools against our libz and we do not
need the system zlib any more.

Only the static linked library is copied to the staging directory so we
have a statically linked library on all systems and not only on Linux.
This also adds the new dependencies of the packages which are depending
on zlib.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-04-28 15:28:59 +02:00
Jo-Philipp Wich
3f5e39e960 zlib: only enable NEON optimizations on eligible targets
Instead of inferring the availability of NEON support from the target
optimization flags, use a preprocessor test to decide whether to enable
ARMv8 NEON optimizations.

Fixes the following build error spotted by the mediatek/32 buildbot:

    [ 26%] Building C object CMakeFiles/zlib.dir/contrib/arm/inflate.o
    In file included from .../zlib-1.2.11/contrib/arm/chunkcopy.h:10:0,
                     from .../zlib-1.2.11/contrib/arm/inflate.c:87:
    .../arm_neon.h:31:2: error: #error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
     #error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
      ^
    In file included from .../zlib-1.2.11/contrib/arm/inflate.c:87:0:
    .../zlib-1.2.11/contrib/arm/chunkcopy.h:18:9: error: unknown type name 'uint8x16_t'
     typedef uint8x16_t chunkcopy_chunk_t;
             ^
    [...]
    CMakeFiles/zlib.dir/build.make:302: recipe for target 'CMakeFiles/zlib.dir/contrib/arm/inflate.o' failed

Fixes: 3acecba520 "package/libs/zlib: Add ARM and NEON optimizations"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 12:33:47 +01:00
Daniel Engberg
cbe71649bc package/libs/zlib: Add host build
Some packages such as Python/Python3 (host pip/pip3) needs this
to compile.

More detailed explanation provided by Alexandru:

"i need the zlib/host for Python/Python3 ; because, it seems the
host pip/pip3 needs this to work ; i suspect in older versions
this worked, because some of the host's build env would be used
in the build, and then the zlib-dev from the host distro would
be used ; now, the host-build does not seem to have any
-I/usr/include stuff, which is good

and it also seems that Python/Python3 does not like it if the
zlib-dev package is too old, so using this zlib/host would be
good for this as well"

Source:
https://github.com/lede-project/source/pull/1329#issuecomment-351055861

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
0dd439141d package/libs/zlib: Add option for O3 optimization
Add option to use O3 optimization as not all devices have
space constraints. This option is default using GCC in upstream
but isn't in the CMake makefile for some reason.

Source: https://github.com/madler/zlib/blob/master/configure#L170

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
3acecba520 package/libs/zlib: Add ARM and NEON optimizations
This adds two optimizations for ARM:
NEON optimized Adler(-)32 checksum algorithm (ARMv7 and newer NEON CPUs)
ARM(v7+) specific optimization for inflate
I've also connected inflate optimization to the build using the following
source as template.
0397489124 (diff-a62ad2db6c83dbc205d34bb9a8884f16)

Additional info:
https://codereview.chromium.org/2676493007/
https://codereview.chromium.org/2722063002/

Sources:
https://github.com/madler/zlib/pull/251 (only the first commit)
https://github.com/madler/zlib/pull/256

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
383e8aeec7 package/libs/zlib: Use toolchain build logic
Use build logic provided by toolchain instead of doing it manually.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Alexander Couzens
c61a239514
add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-17 02:24:35 +01:00
Stijn Tintel
462ca4e059 zlib: use default Build/Configure rule
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-14 08:45:55 +02:00
Daniel Engberg
da5d060ac9 zlib: Update to 1.2.11
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback

Note: SF doesn't carry the 1.2.11 update yet.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-16 19:52:07 +01:00
Magnus Kroken
186cd4533d zlib: update to 1.2.10
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-01-07 19:35:22 +01:00
Daniel Engberg
6099f22097 zlib: Update to 1.2.9
Update zlib to 1.2.9 and switch to XZ tarballs for download.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-03 14:24:33 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Felix Fietkau
3e0615fe8f package/libs/zlib: new package zlib-dev
The patch adds a new package zlib-dev. It contains all files needed for
compiling a program using the zlib library:

/usr/include/zconf.h
/usr/include/zlib.h
/usr/lib/libz.a
/usr/lib/pkgconfig/zlib.pc

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

SVN-Revision: 48151
2016-01-07 21:08:13 +00:00
Luka Perkov
75078acd93 cosmetic: remove trailing whitespaces
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 47197
2015-10-15 22:12:13 +00:00
Steven Barth
bec9d38fa4 Add a few SPDX tags
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43151
2014-11-02 12:20:54 +00:00
Luka Perkov
f566115085 zlib: update to 1.2.8
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 37589
2013-07-28 23:27:34 +00:00
Hamish Guthrie
81a3d9ba31 licensing: Add licensing metadata to many packages Two new variables are introduces to many packages, namely PKG_LICENSE and PKG_LICENSE_FILES - there may be more than one license applied to packages, and these are listed in the PKG_LICENSE variable and separated by spaces. All relevant license files are also added to the PKG_LICENSE_FILES variable, also space separated.
The licensing metadata is put into the bin/<platform>/packages/Packages file
for later parsing. A script for that is on it's way!

SVN-Revision: 33861
2012-10-19 15:34:28 +00:00
Felix Fietkau
48db59fab7 move library packages to package/libs/
SVN-Revision: 33657
2012-10-08 11:24:12 +00:00