diff options
| author | Mark Adler <git@madler.net> | 2026-01-03 01:07:40 -0600 |
|---|---|---|
| committer | Mark Adler <git@madler.net> | 2026-01-05 15:03:04 -0600 |
| commit | fd366384cf324d750596feb03be44ddf4d1e6acd (patch) | |
| tree | 0c1d8eaa0538f8681ae0ce7a4e02ba71ff07d4fd /configure | |
| parent | cab7352dc71048f130a7d4e0b7fd773909761133 (diff) | |
| download | zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.gz zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.bz2 zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.zip | |
Prevent the use of insecure functions without an explicit request.
ZLIB_INSECURE must be defined in order to compile code that uses
the insecure functions vsprintf() or sprintf(). This would occur
only if the standard vsnprintf() or snprintf() functions are not
available. Providing the --insecure option to ./configure will
define ZLIB_INSECURE. A flag is added to zlibCompileFlags() to
indicate that gzprintf() is not implemented due to the need for
the use of an insecure function, but ZLIB_INSECURE was not
defined.
Diffstat (limited to 'configure')
| -rwxr-xr-x | configure | 17 |
1 files changed, 14 insertions, 3 deletions
| @@ -92,6 +92,7 @@ warn=0 | |||
| 92 | debug=0 | 92 | debug=0 |
| 93 | address=0 | 93 | address=0 |
| 94 | memory=0 | 94 | memory=0 |
| 95 | insecure=0 | ||
| 95 | unknown=0 | 96 | unknown=0 |
| 96 | old_cc="$CC" | 97 | old_cc="$CC" |
| 97 | old_cflags="$CFLAGS" | 98 | old_cflags="$CFLAGS" |
| @@ -118,7 +119,7 @@ case "$1" in | |||
| 118 | -h* | --help) | 119 | -h* | --help) |
| 119 | echo 'usage:' | tee -a configure.log | 120 | echo 'usage:' | tee -a configure.log |
| 120 | echo ' configure [--const] [--zprefix] [--prefix=PREFIX] [--eprefix=EXPREFIX]' | tee -a configure.log | 121 | echo ' configure [--const] [--zprefix] [--prefix=PREFIX] [--eprefix=EXPREFIX]' | tee -a configure.log |
| 121 | echo ' [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log | 122 | echo ' [--insecure] [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log |
| 122 | echo ' [--includedir=INCLUDEDIR] [--archs="-arch i386 -arch x86_64"]' | tee -a configure.log | 123 | echo ' [--includedir=INCLUDEDIR] [--archs="-arch i386 -arch x86_64"]' | tee -a configure.log |
| 123 | exit 0 ;; | 124 | exit 0 ;; |
| 124 | -p*=* | --prefix=*) prefix=`echo $1 | sed 's/.*=//'`; shift ;; | 125 | -p*=* | --prefix=*) prefix=`echo $1 | sed 's/.*=//'`; shift ;; |
| @@ -146,6 +147,7 @@ case "$1" in | |||
| 146 | --sanitize) address=1; shift ;; | 147 | --sanitize) address=1; shift ;; |
| 147 | --address) address=1; shift ;; | 148 | --address) address=1; shift ;; |
| 148 | --memory) memory=1; shift ;; | 149 | --memory) memory=1; shift ;; |
| 150 | --insecure) insecure=1; shift ;; | ||
| 149 | *) unknown=1; echo "unknown option ignored: $1" | tee -a configure.log; shift;; | 151 | *) unknown=1; echo "unknown option ignored: $1" | tee -a configure.log; shift;; |
| 150 | esac | 152 | esac |
| 151 | done | 153 | done |
| @@ -256,6 +258,9 @@ if test "$gcc" -eq 1 && ($cc -c $test.c) >> configure.log 2>&1; then | |||
| 256 | if test $memory -eq 1; then | 258 | if test $memory -eq 1; then |
| 257 | CFLAGS="${CFLAGS} -g -fsanitize=memory -fno-omit-frame-pointer" | 259 | CFLAGS="${CFLAGS} -g -fsanitize=memory -fno-omit-frame-pointer" |
| 258 | fi | 260 | fi |
| 261 | if test $insecure -eq 1; then | ||
| 262 | CFLAGS="${CFLAGS} -DZLIB_INSECURE" | ||
| 263 | fi | ||
| 259 | if test $debug -eq 1; then | 264 | if test $debug -eq 1; then |
| 260 | CFLAGS="${CFLAGS} -DZLIB_DEBUG" | 265 | CFLAGS="${CFLAGS} -DZLIB_DEBUG" |
| 261 | SFLAGS="${SFLAGS} -DZLIB_DEBUG" | 266 | SFLAGS="${SFLAGS} -DZLIB_DEBUG" |
| @@ -740,7 +745,10 @@ EOF | |||
| 740 | echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib" | tee -a configure.log | 745 | echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib" | tee -a configure.log |
| 741 | echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log | 746 | echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log |
| 742 | echo " vulnerabilities." | tee -a configure.log | 747 | echo " vulnerabilities." | tee -a configure.log |
| 743 | 748 | if test $insecure -ne 1; then | |
| 749 | echo " The --insecure option must be provided to ./configure in order to" | tee -a configure.log | ||
| 750 | echo " compile using the insecure vsprintf() function." | tee -a configure.log | ||
| 751 | fi | ||
| 744 | echo >> configure.log | 752 | echo >> configure.log |
| 745 | cat >$test.c <<EOF | 753 | cat >$test.c <<EOF |
| 746 | #include <stdio.h> | 754 | #include <stdio.h> |
| @@ -824,7 +832,10 @@ EOF | |||
| 824 | echo " WARNING: snprintf() not found, falling back to sprintf(). zlib" | tee -a configure.log | 832 | echo " WARNING: snprintf() not found, falling back to sprintf(). zlib" | tee -a configure.log |
| 825 | echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log | 833 | echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log |
| 826 | echo " vulnerabilities." | tee -a configure.log | 834 | echo " vulnerabilities." | tee -a configure.log |
| 827 | 835 | if test $insecure -ne 1; then | |
| 836 | echo " The --insecure option must be provided to ./configure in order to" | tee -a configure.log | ||
| 837 | echo " compile using the insecure sprintf() function." | tee -a configure.log | ||
| 838 | fi | ||
| 828 | echo >> configure.log | 839 | echo >> configure.log |
| 829 | cat >$test.c <<EOF | 840 | cat >$test.c <<EOF |
| 830 | #include <stdio.h> | 841 | #include <stdio.h> |