The C standard says that bit shifts of negative integers is undefined. External References: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7 Upstream patches: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958 https://github.com/madler/zlib/commit/2edb94a3025d288dc251bc6cbb2c02e60fbd7438 CVE assignment: http://seclists.org/oss-sec/2016/q4/602
Created zlib tracking bugs for this issue: Affects: fedora-all [bug 1402352]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1222 https://access.redhat.com/errata/RHSA-2017:1222
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1221 https://access.redhat.com/errata/RHSA-2017:1221
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2017:1220 https://access.redhat.com/errata/RHSA-2017:1220
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:2999 https://access.redhat.com/errata/RHSA-2017:2999
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 7 Via RHSA-2017:3047 https://access.redhat.com/errata/RHSA-2017:3047
This issue has been addressed in the following products: Oracle Java for Red Hat Enterprise Linux 7 Oracle Java for Red Hat Enterprise Linux 6 Via RHSA-2017:3046 https://access.redhat.com/errata/RHSA-2017:3046
Quoting from the report <https://wiki.mozilla.org/images/0/09/Zlib-report.pdf>: > We have identified five areas where code in zlib invokes undefined > behavior in the C standard. Use of this code does not currently > generate buggy binaries, but it is possible that with future compilers > or platforms these latent bugs may manifest in compiled code Using GCC on Red Hat Enterprise Linux supported architectures, the UB described in this flaw does not manifest as a bug.
This issue has been addressed in the following products: Red Hat Satellite 5.8 Red Hat Satellite 5.8 ELS Via RHSA-2017:3453 https://access.redhat.com/errata/RHSA-2017:3453