Skip to content

[AutoPR- Security] Patch zlib for CVE-2026-27171 [LOW] #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[AutoPR- Security] Patch zlib for CVE-2026-27171 [LOW] #196

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions SPECS/zlib/CVE-2026-27171.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
From 4862a6c45c5d27cd4ab597f045b1ce128c62294e Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Mon, 2 Mar 2026 16:41:38 +0000
Subject: [PATCH] Check for negative lengths in crc32_combine functions; update
zlib.h documentation.

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/madler/zlib/commit/ba829a458576d1ff0f26fc7230c6de816d1f6a77.patch
---
crc32.c | 4 ++++
zlib.h | 5 +++--
2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/crc32.c b/crc32.c
index f8357b0..d00567c 100644
--- a/crc32.c
+++ b/crc32.c
@@ -1083,6 +1083,8 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
uLong crc2;
z_off64_t len2;
{
+ if (len2 < 0)
+ return 0;
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
@@ -1102,6 +1104,8 @@ uLong ZEXPORT crc32_combine(crc1, crc2, len2)
uLong ZEXPORT crc32_combine_gen64(len2)
z_off64_t len2;
{
+ if (len2 < 0)
+ return 0;
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
diff --git a/zlib.h b/zlib.h
index 953cb50..d3b3bf5 100644
--- a/zlib.h
+++ b/zlib.h
@@ -1755,14 +1755,15 @@ ZEXTERN uLong ZEXPORT crc32_combine OF((uLong crc1, uLong crc2, z_off_t len2));
seq1 and seq2 with lengths len1 and len2, CRC-32 check values were
calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32
check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and
- len2.
+ len2. len2 must be non-negative, otherwise zero is returned.
*/

/*
ZEXTERN uLong ZEXPORT crc32_combine_gen OF((z_off_t len2));

Return the operator corresponding to length len2, to be used with
- crc32_combine_op().
+ crc32_combine_op(). len2 must be non-negative, otherwise zero is returned.
+
*/

ZEXTERN uLong ZEXPORT crc32_combine_op OF((uLong crc1, uLong crc2, uLong op));
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/zlib/zlib.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: Compression and decompression routines
Name: zlib
Version: 1.2.13
Release: 2%{?dist}
Release: 3%{?dist}
URL: https://www.zlib.net/
License: zlib
Group: Applications/System
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: https://github.com/madler/zlib/releases/download/v%{version}/%{name}-%{version}.tar.xz
Patch0: CVE-2023-45853.patch
Patch1: CVE-2026-27171.patch
%description
Compression and decompression routines
%package devel
Expand Down Expand Up @@ -50,6 +51,9 @@ make %{?_smp_mflags} check
%{_mandir}/man3/zlib.3.gz

%changelog
* Mon Mar 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.13-3
- Patch for CVE-2026-27171

* Thu Oct 19 2023 Nan Liu <liunan@microsoft.com> - 1.2.13-2
- Add patch to address CVE-2023-45853
- Fix invalid source URL
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ glibc-iconv-2.35-10.cm2.aarch64.rpm
glibc-lang-2.35-10.cm2.aarch64.rpm
glibc-nscd-2.35-10.cm2.aarch64.rpm
glibc-tools-2.35-10.cm2.aarch64.rpm
zlib-1.2.13-2.cm2.aarch64.rpm
zlib-devel-1.2.13-2.cm2.aarch64.rpm
zlib-1.2.13-3.cm2.aarch64.rpm
zlib-devel-1.2.13-3.cm2.aarch64.rpm
file-5.40-3.cm2.aarch64.rpm
file-devel-5.40-3.cm2.aarch64.rpm
file-libs-5.40-3.cm2.aarch64.rpm
Expand Down
4 changes: 2 additions & 2 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ glibc-iconv-2.35-10.cm2.x86_64.rpm
glibc-lang-2.35-10.cm2.x86_64.rpm
glibc-nscd-2.35-10.cm2.x86_64.rpm
glibc-tools-2.35-10.cm2.x86_64.rpm
zlib-1.2.13-2.cm2.x86_64.rpm
zlib-devel-1.2.13-2.cm2.x86_64.rpm
zlib-1.2.13-3.cm2.x86_64.rpm
zlib-devel-1.2.13-3.cm2.x86_64.rpm
file-5.40-3.cm2.x86_64.rpm
file-devel-5.40-3.cm2.x86_64.rpm
file-libs-5.40-3.cm2.x86_64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -586,9 +586,9 @@ xz-lang-5.2.5-1.cm2.aarch64.rpm
xz-libs-5.2.5-1.cm2.aarch64.rpm
zip-3.0-5.cm2.aarch64.rpm
zip-debuginfo-3.0-5.cm2.aarch64.rpm
zlib-1.2.13-2.cm2.aarch64.rpm
zlib-debuginfo-1.2.13-2.cm2.aarch64.rpm
zlib-devel-1.2.13-2.cm2.aarch64.rpm
zlib-1.2.13-3.cm2.aarch64.rpm
zlib-debuginfo-1.2.13-3.cm2.aarch64.rpm
zlib-devel-1.2.13-3.cm2.aarch64.rpm
zstd-1.5.4-1.cm2.aarch64.rpm
zstd-debuginfo-1.5.4-1.cm2.aarch64.rpm
zstd-devel-1.5.4-1.cm2.aarch64.rpm
Expand Down
6 changes: 3 additions & 3 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -592,9 +592,9 @@ xz-lang-5.2.5-1.cm2.x86_64.rpm
xz-libs-5.2.5-1.cm2.x86_64.rpm
zip-3.0-5.cm2.x86_64.rpm
zip-debuginfo-3.0-5.cm2.x86_64.rpm
zlib-1.2.13-2.cm2.x86_64.rpm
zlib-debuginfo-1.2.13-2.cm2.x86_64.rpm
zlib-devel-1.2.13-2.cm2.x86_64.rpm
zlib-1.2.13-3.cm2.x86_64.rpm
zlib-debuginfo-1.2.13-3.cm2.x86_64.rpm
zlib-devel-1.2.13-3.cm2.x86_64.rpm
zstd-1.5.4-1.cm2.x86_64.rpm
zstd-debuginfo-1.5.4-1.cm2.x86_64.rpm
zstd-devel-1.5.4-1.cm2.x86_64.rpm
Expand Down
Loading