From 18efdbe8b369c2a1047486f66ddfca0dad036977 Mon Sep 17 00:00:00 2001
From: Nicolas Thill <nico@openwrt.org>
Date: Fri, 8 Jul 2005 19:29:05 +0000
Subject: [PATCH] Fix security issue
 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096)

SVN-Revision: 1382
---
 openwrt/package/zlib/Makefile                 |  2 +-
 .../patches/zlib-1.2.2-CAN-2005-2096.patch    | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 openwrt/package/zlib/patches/zlib-1.2.2-CAN-2005-2096.patch

diff --git a/openwrt/package/zlib/Makefile b/openwrt/package/zlib/Makefile
index 95f6ce997e..3b3f57700a 100644
--- a/openwrt/package/zlib/Makefile
+++ b/openwrt/package/zlib/Makefile
@@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=zlib
 PKG_VERSION:=1.2.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MD5SUM:=1b8aab042d40979e456194c468fd72c5
 
 PKG_SOURCE_URL:=@SF/zlib
diff --git a/openwrt/package/zlib/patches/zlib-1.2.2-CAN-2005-2096.patch b/openwrt/package/zlib/patches/zlib-1.2.2-CAN-2005-2096.patch
new file mode 100644
index 0000000000..b09ae6bfac
--- /dev/null
+++ b/openwrt/package/zlib/patches/zlib-1.2.2-CAN-2005-2096.patch
@@ -0,0 +1,26 @@
+Name: CAN-2005-2096 (under review)
+Description:
+  Buffer overflow in zlib 1.2 and later versions allows remote attackers 
+  to cause a denial of service (crash) via a crafted compressed stream, as 
+  demonstrated using a crafted PNG file.
+  
+References:
+  * DEBIAN:DSA-740
+    http://www.debian.org/security/2005/dsa-740
+  * REDHAT:RHSA-2005:569
+    http://www.redhat.com/support/errata/RHSA-2005-569.html 
+
+  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
+
+diff -ruN zlib-1.2.2-old/inftrees.c zlib-1.2.2-new/inftrees.c
+--- zlib-1.2.2-old/inftrees.c	2004-09-15 16:30:06.000000000 +0200
++++ zlib-1.2.2-new/inftrees.c	2005-07-08 21:18:58.000000000 +0200
+@@ -134,7 +134,7 @@
+         left -= count[len];
+         if (left < 0) return -1;        /* over-subscribed */
+     }
+-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
++    if (left > 0 && (type == CODES || max != 1))
+         return -1;                      /* incomplete set */
+ 
+     /* generate offsets into symbol table for each length for sorting */
-- 
2.30.2