From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2045.outbound.protection.outlook.com [40.107.20.45]) by sourceware.org (Postfix) with ESMTPS id 786883858C52; Tue, 12 Apr 2022 07:30:30 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 786883858C52 Received: from AM5PR0402CA0009.eurprd04.prod.outlook.com (2603:10a6:203:90::19) by PR2PR08MB5225.eurprd08.prod.outlook.com (2603:10a6:101:1c::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Tue, 12 Apr 2022 07:30:22 +0000 Received: from AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:90:cafe::71) by AM5PR0402CA0009.outlook.office365.com (2603:10a6:203:90::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.30 via Frontend Transport; Tue, 12 Apr 2022 07:30:22 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT021.mail.protection.outlook.com (10.152.16.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21 via Frontend Transport; Tue, 12 Apr 2022 07:30:22 +0000 Received: ("Tessian outbound 62985e3c34b6:v118"); Tue, 12 Apr 2022 07:30:22 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b0a968607b44c649 X-CR-MTA-TID: 64aa7808 Received: from fc13c29d7e4c.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 5A636E94-1343-4F0E-9006-A102631899C2.1; Tue, 12 Apr 2022 07:30:16 +0000 Received: from EUR02-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fc13c29d7e4c.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 12 Apr 2022 07:30:16 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hssN7wuDLbcxNDpqBWFvBrpKZBZI5bnTdA+kOmlmJOGLbgtIioIP8ktRJk2a7DU9zmCvZoj1HpGuOV/ir42t7qDlSXEjjogZ6CJeWE9m0tHNZgsTqC6Pn9LN7lXZXsEkrY44nAIQwp3GmZ+z1ifEww/LMZD65WyXlUlvUGnPVSHWWkHIz6/Y+cun0GluYp8HCo+WNRvdiaQLbYRcBgX1fjDDMDHbuNSi9fIyI4rLZsOWQ4gqbdNNYv7I/6PJGCv5uIGT6xP4RzDBBWxjG54VJ8/Ktz8omNkrsIt9lxfBtxRZ61l7oE0+vvBIQI/kq0KxYLJYp4iqFjvxpF4GuJy1tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n98M9JKOh55vnRv31q/ru5Tu11FZhdsuM0COOfvzHa8=; b=OX8Lwr3RkhTY1QPJVXWDItzX/YAMEtW9O/RL5pxFyIyBq4yjM+zwO3P/LFl9IuJgTv4wZxUodQBxxT0m3nz7wz2r0S5Lttu7CfzLcwE8nKTSNCgc0DJhEbYv+KhENieGXSkwr4hZNunqFsr0canjo+vi7r3I5EZg9fgWg2F4qfbGSXYpBewbu+jj2NTSzbX3kwST7tqrBOSQppPYqE9tP+K+yjVgld2PSGhiYAgP9EfGz2UFCyjawuRdq3fvFVLCJE5b+kW94AzgO/e68T0TnD+plBWFqvILm+21sZL3iqU3teNldNZajy/iFGwu+HoXOpLGTW7Eyb+2+j7wKPlSRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Received: from VI1PR08MB3919.eurprd08.prod.outlook.com (2603:10a6:803:c4::31) by AS8PR08MB6709.eurprd08.prod.outlook.com (2603:10a6:20b:395::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.29; Tue, 12 Apr 2022 07:30:12 +0000 Received: from VI1PR08MB3919.eurprd08.prod.outlook.com ([fe80::1d77:d9e:16a8:75d5]) by VI1PR08MB3919.eurprd08.prod.outlook.com ([fe80::1d77:d9e:16a8:75d5%7]) with mapi id 15.20.5144.030; Tue, 12 Apr 2022 07:30:12 +0000 Message-ID: Date: Tue, 12 Apr 2022 08:30:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [CVE] zlib (< 1.2.12) memory corruption Content-Language: en-US To: Nick Clifton , binutils@sourceware.org, "gdb@sourceware.org" , gcc@gcc.gnu.org References: <3a271c96-047b-1cd3-54c9-e103421602d3@redhat.com> From: Luis Machado In-Reply-To: <3a271c96-047b-1cd3-54c9-e103421602d3@redhat.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: SA0PR11CA0031.namprd11.prod.outlook.com (2603:10b6:806:d0::6) To VI1PR08MB3919.eurprd08.prod.outlook.com (2603:10a6:803:c4::31) MIME-Version: 1.0 X-MS-Office365-Filtering-Correlation-Id: 30e0cc66-f083-4830-bf5f-08da1c564dd3 X-MS-TrafficTypeDiagnostic: AS8PR08MB6709:EE_|AM5EUR03FT021:EE_|PR2PR08MB5225:EE_ X-LD-Processed: f34e5979-57d9-4aaa-ad4d-b122a662184d,ExtAddr X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: 7tWpdLLoXk1eMBsa3Spfgcf2JzmGgxG+Q5+MS4FYsYKNyiom1CAHKymifzwY5ihiQD0YeZ3w8lrROWtRYa5JF4n1JD4cCTfK88kdnKE+gCRgKyY6AEIzMLCwzw/cVoy0VU+uVis0NOUmpb2g2zedIi7d8zSvMOXuWA1TOkxHvoWA/rDiQ083PvfLNA0XzGZCTpdd9l4UCtWiHyUyUtkbzTxiqT5PRqlWhZD0RBya5UoY/XxltXC31o25s/01McK7a5pmMeykRafaXrTbHxuwdsUE6dt9LT1Y0ihQMpO8K9VgxsXfTMk/6UvdgYampu+JPSs9Kz4taRG100ViDRbJXKbE7KFDGkn9zTZuvf1AZgPthsC67zVFkwO9gZbktJCcN2MDKaXVRTstlK2/mxnzTOh3lnRqMYDKEPfcwhce2QrzC/kleDnLN0+NXSLJ0mIXcS1nuWXyfG70czTncB8rSq+xlsnJ+S5GiQouvCqhRFj4eS0EIrDFdrC+Rj/FzFHNya6DF3RkjXs9clB1XNdD2mvrueYj/f90byW0kp/UkuzTpzU5+itIgEFmnN9lfGYY1dtPvo4kz5ELa0Z7imDG9mic0W3hXF1QxyXqjNUeM40SpLIjTEwv3yY3s6FQe8ABurpIi4qDlKN+1vkGw/2O0G53taLO3oJJ4JP2HhH1cayjYcSt64worEmRX5o7tAIsVnMwGjwMf3Pk1Ef4AU9UgknmVxLcoUNSsUazN/GYxBE= X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR08MB3919.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(26005)(2616005)(110136005)(316002)(8676002)(4744005)(66946007)(2906002)(38100700002)(66476007)(66556008)(31686004)(186003)(36756003)(508600001)(6486002)(44832011)(31696002)(5660300002)(8936002)(6506007)(6512007)(83380400001)(53546011)(6666004)(86362001)(43740500002)(45980500001); DIR:OUT; SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR08MB6709 Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: f68a57ca-02e8-43ad-67d0-08da1c56473a X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 9KwxsVbojjoGPp5hlVykV978YTEuG5EhLrFp44kHHs1cutWiNjpNkqNaEJ7S5G6A8/THSleW2vT0uL7xiy68kVPZzalK31dl5s83+D4G3US+v71gjo+gjCmyjoW75O8QbVfrMJJwQzC3n5wJaxE5Iwt3mTW2SKQQFepAvOCRb/XZhhx3Sy3MAhaXi61e/j+jQmQTuAmbiY20Lteym90nLHDZkEhE52dbDTpwYBh5RCqXWOeQFNF+qOk/TkLYD51b5AlKrhAWMSMoOQhxTJ9BSOwZI3X2sl6gwRAuZnA7Y4NHQG9SLuRPfpnuG5i0Fle7nKd2jofE4ewLZZ6UmgjlRoUkuibvuTkL6kkb9tDjBUOz1JqY0Tcg5c+7EOdBUIt4v7KA1zXeg8pgnxpSj8nclvO27zS9bzWIJWpEfsXDAucjcNHrhqNCmaLnoxYhfvM3Wj+5/nFHHicMKOcfsmXYgO89aDo7qAMxmKIYp+FgqcqrZKevst3czSMio36Gu6Wy1BiO5FFWLfOG3tmJ1uONNKl0D6oA0jusrQ73wOeKZXC4M33RK/4elFnRWqkBSK5DWNVr76UrxLfvzEyNqiZ7qNixaFan0Th6J92wZNWEufIWVg17gf67mczn22Y1Lukou/ewh4cguX8NV4P3Zg5JkvMdZ7rlB81qCs1xmzOnjKrDr+HthkUCiXv7YE31+pcw36RkLnsGBA4WbarAjDtNdA== X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(86362001)(450100002)(36860700001)(70206006)(70586007)(31696002)(8676002)(40460700003)(47076005)(356005)(53546011)(4744005)(81166007)(82310400005)(8936002)(6486002)(6512007)(2906002)(6666004)(6506007)(44832011)(336012)(508600001)(316002)(5660300002)(36756003)(83380400001)(186003)(110136005)(2616005)(31686004)(26005)(43740500002); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2022 07:30:22.3926 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 30e0cc66-f083-4830-bf5f-08da1c564dd3 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT021.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR2PR08MB5225 X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, NICE_REPLY_A, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_PASS, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE, UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2022 07:30:31 -0000 Hi Nick, On 4/8/22 14:36, Nick Clifton wrote: > Hi Luis, > >> There is a CVE [1] for zlib < 1.2.12 (released march 27th). >> >> GCC currently uses zlib 1.2.11, and binutils-gdb imports the zlib >> directory from GCC. The recommendation is to get it updated to 1.2.12, >> which contains the proper fix [2]. > > I am all for updating the binutils-gdb copy of zlib.  I will wait a > couple of > days to see if anyone else has any comments or concerns, but if not, then I > will apply the patches myself. I did a quick check and there seems to be some differences between gcc's zlib subdir and binutils-gdb's zlib subdir. I think there has been some fixes that we may have to port over from our current zlib subdir. I tried simply replacing the subdir, but that didn't work right.