Bug 1003580 – VUL-1: CVE-2016-9842: zlib: Undefined Left Shift of Negative Number

Bug 1003580 - (CVE-2016-9842) VUL-1: CVE-2016-9842: zlib: Undefined Left Shift of Negative Number

(CVE-2016-9842)
Summary:	VUL-1: CVE-2016-9842: zlib: Undefined Left Shift of Negative Number

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2016-9842:4.6:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-10-07 10:29 UTC by Johannes Segitz
Modified:	2020-06-16 01:43 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2016-10-07 10:29:57 UTC

Security audit of zlib: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

Upstream comments: https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7

Fixes: https://github.com/madler/zlib - you need to switch to 'develop'

Quoting from the report:
While testing the possible fix of the strict aliasing issue (  Finding 2  ), we identified an invalid left shift of a negative number.
Source Reference (inflate.c):
1507 if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16;
Left shifts of negative value are undefined, but in practice this will probably
continue to have the desired behavior.
Recommendation:
Change -1L << 16 to (~0xFFFFL).
Potential sample code:
1507 if (strm == Z_NULL || strm->state == Z_NULL) return (~0xFFFFL);

Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811

Comment 1 Swamp Workflow Management 2016-10-07 22:00:38 UTC

bugbot adjusting priority

Comment 2 Bernhard Wiedemann 2016-12-04 13:00:37 UTC

This is an autogenerated message for OBS integration:
This bug (1003580) was mentioned in
https://build.opensuse.org/request/show/443701 Factory / zlib
https://build.opensuse.org/request/show/443702 13.2 / zlib

Comment 3 Tomáš Chvátal 2016-12-04 13:52:33 UTC

all sumbissions done

Comment 4 Tomáš Chvátal 2016-12-04 13:54:43 UTC

all sumbissions done

Comment 6 Marcus Meissner 2016-12-06 10:26:10 UTC

    Finding 5: Big-endian out-of-bounds pointer (Low)
    Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811


Use CVE-2016-9843.

Comment 7 Salvatore Bonaccorso 2016-12-06 20:58:01 UTC

Hi Marcus

I think comment #6 should belong to another but, the one for CVE-2016-9843, i.e. https://bugzilla.novell.com/show_bug.cgi?id=1013882 ?

The commit for CVE-2016-9842 is according to https://marc.info/?l=oss-security&m=148097605021134&w=2 https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958

Regards,
Salvatore

Comment 8 Marcus Meissner 2016-12-12 12:04:02 UTC

yeah, i mixed stuff up.

Comment 9 Marcus Meissner 2016-12-12 12:06:32 UTC

and e54e1299404101a5a9d0cf5e45512b543967f958 is for the left shift

Comment 10 Tomáš Chvátal 2016-12-12 12:34:25 UTC

Patch updated.

Comment 11 Bernhard Wiedemann 2016-12-12 13:04:07 UTC

This is an autogenerated message for OBS integration:
This bug (1003580) was mentioned in
https://build.opensuse.org/request/show/445412 Factory / zlib
https://build.opensuse.org/request/show/445413 13.2 / zlib

Comment 13 Swamp Workflow Management 2016-12-20 20:09:26 UTC

openSUSE-SU-2016:3202-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE 13.2 (src):    zlib-1.2.8-5.8.1

Comment 14 Swamp Workflow Management 2016-12-21 19:07:51 UTC

SUSE-SU-2016:3209-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    zlib-1.2.7-0.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    zlib-1.2.7-0.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    zlib-1.2.7-0.14.1

Comment 15 Swamp Workflow Management 2017-01-02 11:09:40 UTC

SUSE-SU-2017:0003-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Server 12-SP2 (src):    zlib-1.2.8-11.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    zlib-1.2.8-11.1

Comment 16 Swamp Workflow Management 2017-01-02 11:10:32 UTC

SUSE-SU-2017:0004-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    zlib-1.2.8-6.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    zlib-1.2.8-6.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    zlib-1.2.8-6.3.1

Comment 17 Swamp Workflow Management 2017-01-08 00:20:20 UTC

openSUSE-SU-2017:0077-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE Leap 42.1 (src):    zlib-1.2.8-8.1

Comment 18 Swamp Workflow Management 2017-01-08 00:21:33 UTC

openSUSE-SU-2017:0080-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
openSUSE Leap 42.2 (src):    zlib-1.2.8-10.1

Comment 19 Marcus Meissner 2017-10-25 20:01:10 UTC

released

Comment 20 Swamp Workflow Management 2018-06-26 13:09:13 UTC

SUSE-SU-2018:1815-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1003577,1003579,1003580,1013882,1095016,912771,920442
CVE References: CVE-2016-9840,CVE-2016-9841,CVE-2016-9842,CVE-2016-9843
Sources used:
SUSE Studio Onsite 1.3 (src):    zlib-1.2.7-0.135.3.1

Comment 21 Swamp Workflow Management 2019-11-12 16:40:17 UTC

This is an autogenerated message for OBS integration:
This bug (1003580) was mentioned in
https://build.opensuse.org/request/show/747777 Backports:SLE-12 / zlib