Bug 1402345 (CVE-2016-9840)

Summary: CVE-2016-9840 zlib: Out-of-bound pointer arithmetic in inftrees.c
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apintea, asoldano, bbaranow, bkundal, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, databases-maint, dimitris, dkreling, dosoudil, fgavrilo, fjuma, fnasser, gzaronik, huwang, istudens, ivassile, iweiss, jaromir.capik, jason.greene, jawilson, jboss-set, jchaloup, jclere, jdoyle, jondruse, jshepherd, jvanek, lgao, mbabacek, mosmerov, msochure, msvehla, myarboro, nwallace, pesilva, pgier, pjindal, pjurak, plodge, pmackay, ppalaga, praiskup, psakar, pschiffe, pslavice, rnetuka, rstancel, rsvoboda, sardella, smaestri, sstavrev, szappis, tom.jenkinson, trepik, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zlib 1.2.9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-07 10:11:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1402352, 1503325, 1503326, 1503327, 1503328, 1503329, 1503330, 1503331, 1503332, 1503333, 1503334, 1503335, 1503336    
Bug Blocks:    

Description Andrej Nemec 2016-12-07 10:03:01 UTC 
inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined.

External References:

https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7

Upstream patch:

https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0

CVE assignment:

http://seclists.org/oss-sec/2016/q4/602
Comment 1 Andrej Nemec 2016-12-07 10:13:42 UTC 
Created zlib tracking bugs for this issue:

Affects: fedora-all [bug 1402352]
Comment 2 errata-xmlrpc 2017-05-10 12:45:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222
Comment 3 errata-xmlrpc 2017-05-10 12:47:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221
Comment 4 errata-xmlrpc 2017-05-10 12:49:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220
Comment 7 errata-xmlrpc 2017-10-23 07:47:47 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:2999 https://access.redhat.com/errata/RHSA-2017:2999
Comment 8 errata-xmlrpc 2017-10-24 12:12:03 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 7

Via RHSA-2017:3047 https://access.redhat.com/errata/RHSA-2017:3047
Comment 9 errata-xmlrpc 2017-10-24 12:17:50 UTC 
This issue has been addressed in the following products:

  Oracle Java for Red Hat Enterprise Linux 7
  Oracle Java for Red Hat Enterprise Linux 6

Via RHSA-2017:3046 https://access.redhat.com/errata/RHSA-2017:3046
Comment 10 Doran Moppert 2017-10-31 05:00:46 UTC 
Quoting from the report
<https://wiki.mozilla.org/images/0/09/Zlib-report.pdf>:

> We have identified five areas where code in zlib invokes undefined
> behavior in the C standard. Use of this code does not currently
> generate buggy binaries, but it is possible that with future compilers
> or platforms these latent bugs may manifest in compiled code

Using GCC on Red Hat Enterprise Linux supported architectures, the UB
described in this flaw does not manifest as a bug.
Comment 11 errata-xmlrpc 2017-12-13 16:49:24 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 5.8
  Red Hat Satellite 5.8 ELS

Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453
Comment 13 errata-xmlrpc 2025-06-02 21:18:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:8395 https://access.redhat.com/errata/RHSA-2025:8395
Comment 14 errata-xmlrpc 2025-06-03 10:16:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:8284 https://access.redhat.com/errata/RHSA-2025:8284
Comment 15 errata-xmlrpc 2025-06-04 09:20:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:8280 https://access.redhat.com/errata/RHSA-2025:8280