zlib: CVE-2016-9840 CVE-2016-9841: out-of-bounds pointer

Debian Bug report logs - #847270
zlib: CVE-2016-9840 CVE-2016-9841: out-of-bounds pointer

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: zlib: CVE-2016-9840 CVE-2016-9841: out-of-bounds pointer

Date: Tue, 06 Dec 2016 21:41:03 +0100

Source: zlib
Version: 1:1.2.8.dfsg-2
Severity: important
Tags: security upstream patch

Hi,

the following vulnerabilities were published for zlib.

CVE-2016-9840[0] and CVVE-2016-9841[1].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9840
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840
    https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
[1] https://security-tracker.debian.org/tracker/CVE-2016-9841
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841
    https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 847270-close@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: 847270-close@bugs.debian.org

Subject: Bug#847270: fixed in zlib 1:1.2.8.dfsg-3

Date: Wed, 07 Dec 2016 10:21:28 +0000

Source: zlib
Source-Version: 1:1.2.8.dfsg-3

We believe that the bug you reported is fixed in the latest version of
zlib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 847270@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Brown <broonie@debian.org> (supplier of updated zlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 07 Dec 2016 09:15:05 +0000
Source: zlib
Binary: zlib1g zlib1g-dev zlib1g-dbg zlib1g-udeb lib64z1 lib64z1-dev lib32z1 lib32z1-dev libn32z1 libn32z1-dev
Architecture: source amd64
Version: 1:1.2.8.dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Mark Brown <broonie@debian.org>
Changed-By: Mark Brown <broonie@debian.org>
Description:
 lib32z1    - compression library - 32 bit runtime
 lib32z1-dev - compression library - 32 bit development
 lib64z1    - compression library - 64 bit runtime
 lib64z1-dev - compression library - 64 bit development
 libn32z1   - compression library - n32 runtime
 libn32z1-dev - compression library - n32 development
 zlib1g     - compression library - runtime
 zlib1g-dbg - compression library - development
 zlib1g-dev - compression library - development
 zlib1g-udeb - compression library - runtime for Debian installer (udeb)
Closes: 847270 847274 847275
Changes:
 zlib (1:1.2.8.dfsg-3) unstable; urgency=high
 .
   * Apply upstream fix for CVE-2016-9841 (closes: #847270).
   * Apply upstream fix for CVE-2016-9842 (closes: #847274).
   * Apply upstream fix for CVE-2016-9843 (closes: #847275).
   * Standards version 3.9.8 (no changes).
Checksums-Sha1:
 5155d5c4b2880d1136b1475cf3e0f61a8cea92cf 2153 zlib_1.2.8.dfsg-3.dsc
 415adbe30d92dacc119639ab9c5532a45d5c82d2 16596 zlib_1.2.8.dfsg-3.debian.tar.xz
 3c9c7546ac4ef65ed46dc705b6995ca875129884 90658 lib32z1-dev_1.2.8.dfsg-3_amd64.deb
 8dfd28037440a0f577ace36941b86af96259168a 88148 lib32z1_1.2.8.dfsg-3_amd64.deb
 7a56e2cb3cd5304bd9b4e78924fb0fce8126801d 184678 zlib1g-dbg_1.2.8.dfsg-3_amd64.deb
 03582e66c238dda58646aeb89edb421e56b706aa 204894 zlib1g-dev_1.2.8.dfsg-3_amd64.deb
 ca78f5416a2dfc2caa561c808ecad4ca2add95eb 48456 zlib1g-udeb_1.2.8.dfsg-3_amd64.udeb
 01fd9f6915b2b3400a10af6fa9919c95fc57c23f 87408 zlib1g_1.2.8.dfsg-3_amd64.deb
 12d321e1c0da7b3a21485869ebe69662bb499fa5 6655 zlib_1.2.8.dfsg-3_amd64.buildinfo
Checksums-Sha256:
 c71341b1a4f17cdb093442683c9bd85d9e4f7a59fe7a4d0e46b7d5203ff61c49 2153 zlib_1.2.8.dfsg-3.dsc
 190e2d2384c98cda2fb4213b9ca8c693e130ddb9ff7ef79d71448ef954d73d78 16596 zlib_1.2.8.dfsg-3.debian.tar.xz
 2c29a0f0b40b528d0764627d48f9f2808b6a630c9a76c73276f2b9a710221ed4 90658 lib32z1-dev_1.2.8.dfsg-3_amd64.deb
 4c38f3b65c9f6299aad342b7575bdf293f4d8d43182518ef689a648d39317527 88148 lib32z1_1.2.8.dfsg-3_amd64.deb
 f81354af570214e0c3c294317bbd6f51371216006663cc1eaaecf55ae96f0ca0 184678 zlib1g-dbg_1.2.8.dfsg-3_amd64.deb
 1cf5cbba2ad0704698d7492ab70aebce8f7ad448b09e52f53cc87887bbe22828 204894 zlib1g-dev_1.2.8.dfsg-3_amd64.deb
 e7527e20330f6a57c9ffe28f42ee2d8be07d07f60e068d6f76ac852d072e0689 48456 zlib1g-udeb_1.2.8.dfsg-3_amd64.udeb
 d64931c8032ab28dacfc94f7f9f50d487d9cb41906a774ea3f615d947db1e3c0 87408 zlib1g_1.2.8.dfsg-3_amd64.deb
 609c500a7f1f11a85d8a766d32f851c5c1e5df969571487902ebe464239bcf08 6655 zlib_1.2.8.dfsg-3_amd64.buildinfo
Files:
 cf5274954e37460dd68bae6ecb0537a9 2153 libs optional zlib_1.2.8.dfsg-3.dsc
 1383afa4afad1b3988e5c898708cfb6d 16596 libs optional zlib_1.2.8.dfsg-3.debian.tar.xz
 fa03aebd86ffc749ab1dd30272203c3a 90658 libdevel optional lib32z1-dev_1.2.8.dfsg-3_amd64.deb
 b4575acc0b32b0a4b2eb0968c6bdb768 88148 libs optional lib32z1_1.2.8.dfsg-3_amd64.deb
 39359aba4954e824899a45a31bedbe73 184678 debug extra zlib1g-dbg_1.2.8.dfsg-3_amd64.deb
 069f83e1fec767793e535949cd76d589 204894 libdevel optional zlib1g-dev_1.2.8.dfsg-3_amd64.deb
 a9fa89f5e8d07ef167fdd1fe0db3f887 48456 debian-installer optional zlib1g-udeb_1.2.8.dfsg-3_amd64.udeb
 a840cc91160b8930b5baaeb92c0337cd 87408 libs required zlib1g_1.2.8.dfsg-3_amd64.deb
 82117ac9364f7682b247fee649700e66 6655 libs optional zlib_1.2.8.dfsg-3_amd64.buildinfo
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----

iQFHBAEBCAAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlhH3GATHGJyb29uaWVA
ZGViaWFuLm9yZwAKCRAk1otyXVSH0O5hB/451L+5j+hHDl0wr67suhea57GOjEZv
HeWU1bUjmV9sQh+JAhjtwSjFcEgNY1HmoxKmPDWTwlRaoIHNh4861IU7uWA7ILFO
gJXGjj017dYULjCShGE+xpPgDkJoSlT6S0XeMVwup7YXLJWB0NgC8NVgWT+uY2DB
DDH2KVZ1+SxfxbH73+hID5FJr6pltHTMSQvBF16oSXvoRPtcJdGx9L4x7fbqe7TP
oGvfO/bzyWU30ax40wONyuaVvgeNI6+1hqt9+PUdZMLIphSyoUvFlTsUtvmlG1YY
/HAmE/B4IL+EdITnvrMYaGiwTtozBApkemM3HfrL4E8VXKXypDOe89Y4
=DE+b
-----END PGP SIGNATURE-----

Message #19 received at 847270@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 847270@bugs.debian.org

Cc: Mark Brown <broonie@sirena.org.uk>

Subject: Re: Bug#847270: zlib CVE-2016-9840 and CVE-2016-9841

Date: Wed, 7 Dec 2016 12:31:43 +0100

Hi!

On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote:
>    * Apply upstream fix for CVE-2016-9841 (closes: #847270).

It looks that there was some confusion about the CVE used? I see the
patch applied in this upload is the change for CVE-2016-9840, not the
one for CVE-2016-9841?

Can you please double-check and in case rename the patch? Futhermore
the patch for CVE-2016-9841 would still be missing.

For reference the CVE assingment is here:

https://marc.info/?l=oss-security&m=148097605021134&w=2

> Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)

> https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

Use CVE-2016-9840.


> https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb

Use CVE-2016-9841.

Regards,
Salvatore

Message #24 received at 847270-done@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 847270-done@bugs.debian.org

Subject: Re: Bug#847270: zlib CVE-2016-9840 and CVE-2016-9841

Date: Wed, 7 Dec 2016 15:42:03 +0000

[Message part 1 (text/plain, inline)]

On Wed, Dec 07, 2016 at 12:31:43PM +0100, Salvatore Bonaccorso wrote:
> On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote:
> >    * Apply upstream fix for CVE-2016-9841 (closes: #847270).

> It looks that there was some confusion about the CVE used? I see the
> patch applied in this upload is the change for CVE-2016-9840, not the
> one for CVE-2016-9841?

That's because you filed three different bug reports about CVEs all with
just boilerplate and no directly readable content about them, mainly a
series of links.  Two of these linked to one CVE but this one linked to
two.  Please be consistent when filing bug reports like this - either
file one report per CVE or file everything in a single report but don't
mix the two models.

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 847270@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 847270@bugs.debian.org, Mark Brown <broonie@debian.org>

Subject: Re: Bug#847270 closed by Mark Brown <broonie@debian.org> (Re: Bug#847270: zlib CVE-2016-9840 and CVE-2016-9841)

Date: Wed, 7 Dec 2016 19:21:02 +0100

Hi Mark,

> On Wed, Dec 07, 2016 at 12:31:43PM +0100, Salvatore Bonaccorso wrote:
> > On Wed, Dec 07, 2016 at 10:24:05AM +0000, Debian Bug Tracking System wrote:
> > >    * Apply upstream fix for CVE-2016-9841 (closes: #847270).
> 
> > It looks that there was some confusion about the CVE used? I see the
> > patch applied in this upload is the change for CVE-2016-9840, not the
> > one for CVE-2016-9841?
> 
> That's because you filed three different bug reports about CVEs all with
> just boilerplate and no directly readable content about them, mainly a
> series of links.  Two of these linked to one CVE but this one linked to
> two.  Please be consistent when filing bug reports like this - either
> file one report per CVE or file everything in a single report but don't
> mix the two models.

Thanks for your feedback and in particular fixing the issues quickly.

Will do  next time probably four reports. But: It was not just
boilerplate. If you look at all three reports I collected the upstream
commits relative to the CVE, and as well linked to the
security-tracker which leads you to the CVE assignments and more
information inclduing cross-reference to other distributions (mainly
SuSE has up to date bugreports at the time of this writing).

Futhermore there were three bugreports, divided in the classes of
vulnerabilities.

What though surely can be criticized, and where you are difintively
right that both #847274 and #847275 should have included the CVE
description ("No description was found (try on a search engine)" is
defintively not bureporting friendly!). So a better report might have
looked to say:

CVE-2016-9840 + CVE-2016-9841: out-of-bounds pointer
CVE-2016-9842: Undefined left shift of negative number
CVE-2016-9843: Big-endian out-of-bounds pointer

The above is the reason I decided to do three reports this time
instead on four for every individual CVE, as the common affected
base version was for both CVE-2016-9840 and CVE-2016-9841
1:1.2.8.dfsg-2.

Hope this clarifies and thanks,
Regards,
Salvatore

Message #36 received at 847270@bugs.debian.org (full text, mbox, reply):

From: Mark Brown <broonie@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 847270@bugs.debian.org

Subject: Re: Bug#847270 closed by Mark Brown <broonie@debian.org> (Re: Bug#847270: zlib CVE-2016-9840 and CVE-2016-9841)

Date: Thu, 8 Dec 2016 15:50:23 +0000

[Message part 1 (text/plain, inline)]

On Wed, Dec 07, 2016 at 07:21:02PM +0100, Salvatore Bonaccorso wrote:
> > On Wed, Dec 07, 2016 at 12:31:43PM +0100, Salvatore Bonaccorso wrote:

> > That's because you filed three different bug reports about CVEs all with
> > just boilerplate and no directly readable content about them, mainly a

> Will do  next time probably four reports. But: It was not just
> boilerplate. If you look at all three reports I collected the upstream
> commits relative to the CVE, and as well linked to the
> security-tracker which leads you to the CVE assignments and more

Sorry, when I say that the content was boilerplate with no directly
readable content what I mean is that the human readable bits were
boilerplate - the links you'd collected were of course distinct but the
actual text of the report was essentially the same between all of them
(indeed it took me a couple of goes to realize that the reports were
actually different).  It was just the formatting, of course I should
have been clear and I realize there was work went into collecting the
links to the commits and trackers.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.