6 files changed, 459 insertions, 0 deletions
diff --git a/sys-libs/Manifest.gz b/sys-libs/Manifest.gz
index 63f68e6f9b97..6a9f35ff8daa 100644
--- a/sys-libs/Manifest.gz
+++ b/sys-libs/Manifest.gz
diff --git a/sys-libs/timezone-data/Manifest b/sys-libs/timezone-data/Manifest
index 31921be6b1d1..a966d73d2aaa 100644
--- a/sys-libs/timezone-data/Manifest
+++ b/sys-libs/timezone-data/Manifest
@@ -2,12 +2,15 @@ DIST tzcode2021a.tar.gz 262204 BLAKE2B 4072685f2344602ffcfe32a7bf92d3b0d93e38ffc
 DIST tzcode2021e.tar.gz 273644 BLAKE2B 3331477d8107fb30b2c37d3a3afb212dda7ecf53aa553ea5070537bd1a4a01bf62e70adb2fb14c025e22d272d96ee51e9e5089c5c9790682d3c43cda0ded8680 SHA512 87b0335129ea41c5f42f687f548712e5da892baa8494cecf5d34851beceecf6ae52f22104696ed187713cf9e502570eb2041e277dfd3c043c11d0253bfde685a
 DIST tzcode2022a.tar.gz 275632 BLAKE2B f9b3bb5eedc51896c2a1dd77fe8118518c8a1f35152325fa6c4163e11dd34aeb0c88b16b17a27ad022feb2f6818996ec0e40e06a7e1edd454187f586c3739070 SHA512 3f047a6f414ae3df4a3d6bb9b39a1790833d191ae48e6320ab9438cd326dc455475186a02c44e4cde96b48101ab000880919b1e0e8092aed7254443ed2c831ed
 DIST tzcode2022b.tar.gz 279432 BLAKE2B f4fdb5ded5186e536849b1da9768dcdb389a2b9f6530070388cea9eca17d9db02198a25f1310d9a50ba5f8a53270d3336f9b2cf803666edb2dac20333d57ed8f SHA512 851622eb8e6dc8f8201bf05e1f7e411ca32b2ed0f4dc9f6b875f4482c05c4a3302259b78c3e8e2dadda52ae19d4d34ffa3463fee10f70fa3a8b08b19f1417f79
+DIST tzcode2022c.tar.gz 280190 BLAKE2B 4c66b84da8b1e535b92f8be8f0a1fa32f3b050f3e7676370e3094b5098e7670455e506160f364c61cfba1a919b769da8864a5347f240107c750c723fcc5caa2f SHA512 3373fa16a12007415c3dc3a75c4a0d61d6ae54968eeecedcdf4bcfd7f554020a15c4687dde107b90462b75d848eebe1e200c33322ebe0d3f1ad11bc769cade06
 DIST tzdata2021a.tar.gz 411892 BLAKE2B b8d177e90e22bd8a3fd23c9a9c19896cb245efd8e768b59ab8c63e56ab141e67331f3231e3a7c802f844375049cfd902e14e912ce677b3aea38fc0d968905e87 SHA512 7cdd762ec90ce12a30fa36b1d66d1ea82d9fa21e514e2b9c7fcbe2541514ee0fadf30843ff352c65512fb270857b51d1517b45e1232b89c6f954ba9ff1833bb3
 DIST tzdata2021e.tar.gz 422509 BLAKE2B e0e1189a1bbfb2ee641b9c4c8d00775372638d46d7aea72ff0c4bcb02b38a65eedaf89e6b272e054245c940369a50c2573e6fc720414e4ab3d45adeda8ed9c75 SHA512 c1e8d04e049157ed5d4af0868855bbd75517e3d7e1db9c41d5283ff260109de46b6fac6be94828201d093e163d868044ac2a9db2bf0aeab800e264d0c73a9119
 DIST tzdata2022a.tar.gz 425833 BLAKE2B 0af5b785a6f5d871b017237ad58d3d9bedd0de38cf18ac51b32cd8df9811215af7af913d8cd3966de695ce65df3f49f52e239196e93b953094763814cc56ecd0 SHA512 542e4559beac8fd8c4af7d08d816fd12cfe7ffcb6f20bba4ff1c20eba717749ef96e5cf599b2fe03b5b8469c0467f8cb1c893008160da281055a123dd9e810d9
 DIST tzdata2022b.tar.gz 432594 BLAKE2B 23732f1c753efeca97bb9d6ed8d487a56c735943cb1062a77a1a76faf0109f86238ef9b0ec9ec92b8bdf1da10435f2c39e1465a7fefe74eab8de730214920249 SHA512 a51418cda50386bc2e82a26201178c282ec225e04867e70a47ef90f42371a4014c70bffebb52ac09ccd893dfa17b0acc782f31527b3579ebdc4a302a9367ddb1
+DIST tzdata2022c.tar.gz 432721 BLAKE2B 087a0e728c6052f91142ef11ad2092e573de99d787ed1e8ff62476b870ff2e3d222a19df01ad624cf06e543aa7e40df89dcd888b9e5fd12f8b5af90bdffc9ac9 SHA512 e2ae92abac6d87ce4ab4ba9012e868e1791b842e083293489debc0c671b9cf135b5b70426dacb6dbebbf6eba24463205225ae45bb7df891a086b25475f85ee0b
 EBUILD timezone-data-2021a-r1.ebuild 5675 BLAKE2B ebb7b82895a58585f688b164655c2d52dbc54d5c2f7234167fa8bcbe87d1189b88e9449cfec7b80aa46edd8e7d2a29047409b81fbd6c8114546668914e49c362 SHA512 1cee878422e1f7939066b439a987883cfb3a3148ab7aa2218cf4c6b83ba5b7fc12301709862339be283dd2e0e4726ac295aaa19eb526c9fdaf0fc32eadf62434
 EBUILD timezone-data-2021e.ebuild 5675 BLAKE2B ebb7b82895a58585f688b164655c2d52dbc54d5c2f7234167fa8bcbe87d1189b88e9449cfec7b80aa46edd8e7d2a29047409b81fbd6c8114546668914e49c362 SHA512 1cee878422e1f7939066b439a987883cfb3a3148ab7aa2218cf4c6b83ba5b7fc12301709862339be283dd2e0e4726ac295aaa19eb526c9fdaf0fc32eadf62434
 EBUILD timezone-data-2022a.ebuild 5690 BLAKE2B 802c5353b34a12920ba3a5b0e6a337a6cf7aae917f0535d41a6744c7800b0bb5ed7d2788240a631b6b6510d8d824600d0be901a93671cb8fe3cb7042ed69b53a SHA512 a2ee84a9dfa04aa74de2cff15778ee7629c1f3e76e2944ef69434ca426a50a18a8ad9f940f52b0e9be3342a5a5be04351260d42dc5f45d41dbc1858781c91f16
 EBUILD timezone-data-2022b.ebuild 5688 BLAKE2B b5c11113d302e575013c624ee7c9e9d85cec8d4c912722022e8d925cbfaa75bd8f8152d5e32e3942eeaa7c969a953e2051e56a4ec8465c8f43a11278f78f631e SHA512 3360a5df8a1a118c47b5b7036af5dc8f9bbd21699a9500af8383a43223ff39195ee34c6904a2c84d9428018681899aca20466f3bf78fc3a5aba6a9bcc7aa6c3f
+EBUILD timezone-data-2022c.ebuild 5732 BLAKE2B 092c43966a67c21070b7e03118e8b51dada506b713c83ac8e7e205a72b22f8aa4405c75d60179d64323aa392603d616dad18deb0ca41ef332723e53453a2c986 SHA512 afde51b2aab6ce0a29988f2ed31e92aa03c475a5c8dfadd2719d8accac17b35a2d340571a9d034decdb5ec2714e6638f67a1f3774a9627a55a2f808e8d40a3c8
 MISC metadata.xml 807 BLAKE2B 24b09c4228c232b607e6e6c165a20e364136d77aa970e72c70124636a038cd3b672bad16ddd68c0b75373be6a09f969e59bc38f7e451bb2869cd46c521e2ca82 SHA512 0b95b32d79651493a04032f175f3320d8975cea714b43fa56aa528f10f51a7c52b58a934828f98a770855485af6f8db048bd2bfa3010802cff8c26ae05bb16e2
diff --git a/sys-libs/timezone-data/timezone-data-2022c.ebuild b/sys-libs/timezone-data/timezone-data-2022c.ebuild
new file mode 100644
index 000000000000..69aa2d54a26a
--- /dev/null
+++ b/sys-libs/timezone-data/timezone-data-2022c.ebuild
@@ -0,0 +1,200 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit toolchain-funcs flag-o-matic
+
+MY_CODE_VER=${PV}
+MY_DATA_VER=${PV}
+DESCRIPTION="Timezone data (/usr/share/zoneinfo) and utilities (tzselect/zic/zdump)"
+HOMEPAGE="https://www.iana.org/time-zones"
+SRC_URI="https://www.iana.org/time-zones/repository/releases/tzdata${MY_DATA_VER}.tar.gz
+	https://www.iana.org/time-zones/repository/releases/tzcode${MY_CODE_VER}.tar.gz"
+
+LICENSE="BSD public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="nls leaps-timezone zic-slim"
+
+DEPEND="nls? ( virtual/libintl )"
+RDEPEND="${DEPEND}
+	!sys-libs/glibc[vanilla(+)]"
+
+src_unpack() {
+	mkdir -p "${S}" && cd "${S}" || die
+	default
+}
+
+src_prepare() {
+	default
+
+	# check_web contacts validator.w3.org
+	sed -i -e 's/check_tables check_web/check_tables/g' \
+		Makefile || die "Failed to disable check_web"
+
+	tc-is-cross-compiler && cp -pR "${S}" "${S}"-native
+}
+
+src_configure() {
+	tc-export CC
+
+	# bug #471102
+	append-lfs-flags
+
+	if use elibc_Darwin ; then
+		# bug #138251
+		append-cppflags -DSTD_INSPIRED
+	fi
+
+	append-cppflags -DHAVE_GETTEXT=$(usex nls 1 0) -DTZ_DOMAIN='\"libc\"'
+
+	# Upstream default is 'slim', but it breaks quite a few programs
+	# that parse /etc/localtime directly: bug #747538.
+	append-cppflags -DZIC_BLOAT_DEFAULT='\"'$(usex zic-slim slim fat)'\"'
+
+	LDLIBS=""
+	if use nls ; then
+		# See if an external libintl is available. bug #154181, bug #578424
+		local c="${T}/test"
+		echo 'main(){}' > "${c}.c" || die
+		if $(tc-getCC) ${CPPFLAGS} ${CFLAGS} ${LDFLAGS} "${c}.c" -o "${c}" -lintl 2>/dev/null ; then
+			LDLIBS+=" -lintl"
+		fi
+	fi
+}
+
+_emake() {
+	emake \
+		REDO=$(usex leaps-timezone posix_right posix_only) \
+		TOPDIR="${EPREFIX}" \
+		ZICDIR='$(TOPDIR)/usr/bin' \
+		"$@"
+}
+
+src_compile() {
+	_emake \
+		AR="$(tc-getAR)" \
+		cc="$(tc-getCC)" \
+		RANLIB="$(tc-getRANLIB)" \
+		CFLAGS="${CFLAGS} -std=gnu99 ${CPPFLAGS}" \
+		LDFLAGS="${LDFLAGS}" \
+		LDLIBS="${LDLIBS}"
+
+	if tc-is-cross-compiler ; then
+		_emake -C "${S}"-native \
+			AR="$(tc-getBUILD_AR)" \
+			cc="$(tc-getBUILD_CC)" \
+			RANLIB="$(tc-getBUILD_RANLIB)" \
+			CFLAGS="${BUILD_CFLAGS} ${BUILD_CPPFLAGS}" \
+			LDFLAGS="${BUILD_LDFLAGS}" \
+			LDLIBS="${LDLIBS}" \
+			zic
+	fi
+}
+
+src_test() {
+	# VALIDATE_ENV is used for extended/web based tests. Punt on them.
+	emake check VALIDATE_ENV=true
+}
+
+src_install() {
+	local zic=""
+	tc-is-cross-compiler && zic="zic=${S}-native/zic"
+	_emake install ${zic} DESTDIR="${D}" LIBDIR="/nukeit"
+	rm -rf "${D}/nukeit" "${ED}/etc" || die
+
+	insinto /usr/share/zoneinfo
+	doins "${S}"/leap-seconds.list
+
+	# Delete man pages installed by man-pages package.
+	rm "${ED}"/usr/share/man/man5/tzfile.5* "${ED}"/usr/share/man/man8/{tzselect,zdump,zic}.8 || die
+	dodoc CONTRIBUTING README NEWS *.html
+}
+
+get_TIMEZONE() {
+	local tz src="${EROOT}/etc/timezone"
+	if [[ -e ${src} ]] ; then
+		tz=$(sed -e 's:#.*::' -e 's:[[:space:]]*::g' -e '/^$/d' "${src}")
+	else
+		tz="FOOKABLOIE"
+	fi
+
+	[[ -z ${tz} ]] && return 1 || echo "${tz}"
+}
+
+pkg_preinst() {
+	local tz=$(get_TIMEZONE)
+	if [[ ${tz} == right/* || ${tz} == posix/* ]] ; then
+		eerror "The right & posix subdirs are no longer installed as subdirs -- they have been"
+		eerror "relocated to match upstream paths as sibling paths.  Further, posix/xxx is the"
+		eerror "same as xxx, so you should simply drop the posix/ prefix.  You also should not"
+		eerror "be using right/xxx for the system timezone as it breaks programs."
+		die "Please fix your timezone setting"
+	fi
+
+	# Trim the symlink by hand to avoid portage's automatic protection checks.
+	rm -f "${EROOT}"/usr/share/zoneinfo/posix
+
+	if has_version "<=${CATEGORY}/${PN}-2015c" ; then
+		elog "Support for accessing posix/ and right/ directly has been dropped to match"
+		elog "upstream.  There is no need to set TZ=posix/xxx as it is the same as TZ=xxx."
+		elog "For TZ=right/, you can use TZ=../zoneinfo-leaps/xxx instead.  See this post"
+		elog "for details: https://mm.icann.org/pipermail/tz/2015-February/022024.html"
+	fi
+}
+
+configure_tz_data() {
+	# make sure the /etc/localtime file does not get stale #127899
+	local tz src="${EROOT}/etc/timezone" etc_lt="${EROOT}/etc/localtime"
+
+	# If it's a symlink, assume the user knows what they're doing and
+	# they're managing it themselves. #511474
+	if [[ -L "${etc_lt}" ]] ; then
+		einfo "Assuming your ${etc_lt} symlink is what you want; skipping update."
+		return 0
+	fi
+
+	if ! tz=$(get_TIMEZONE) ; then
+		einfo "Assuming your empty ${src} file is what you want; skipping update."
+		return 0
+	fi
+
+	if [[ "${tz}" == "FOOKABLOIE" ]] ; then
+		einfo "You do not have a timezone set in ${src}; skipping update."
+		return 0
+	fi
+
+	local tzpath="${EROOT}/usr/share/zoneinfo/${tz}"
+
+	if [[ ! -e ${tzpath} ]]; then
+		ewarn "The timezone specified in ${src} is not valid."
+		return 1
+	fi
+
+	if [[ -f ${etc_lt} ]]; then
+		# If a regular file already exists, copy over it.
+		ewarn "Found a regular file at ${etc_lt}."
+		ewarn "Some software may expect a symlink instead."
+		ewarn "You may convert it to a symlink by removing the file and running:"
+		ewarn "  emerge --config sys-libs/timezone-data"
+		einfo "Copying ${tzpath} to ${etc_lt}."
+		cp -f "${tzpath}" "${etc_lt}"
+	else
+		# Otherwise, create a symlink and remove the timezone file.
+		tzpath="../usr/share/zoneinfo/${tz}"
+		einfo "Linking ${tzpath} at ${etc_lt}."
+		if ln -snf "${tzpath}" "${etc_lt}"; then
+			einfo "Removing ${src}."
+			rm -f "${src}"
+		fi
+	fi
+}
+
+pkg_config() {
+	configure_tz_data
+}
+
+pkg_postinst() {
+	configure_tz_data
+}
diff --git a/sys-libs/zlib/Manifest b/sys-libs/zlib/Manifest
index 5f9a1a887db2..89c5c9117fb5 100644
--- a/sys-libs/zlib/Manifest
+++ b/sys-libs/zlib/Manifest
@@ -2,6 +2,7 @@ AUX zlib-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch 3209 BLAKE2B 26e9fd2d
 AUX zlib-1.2.11-fix-deflateParams-usage.patch 3017 BLAKE2B 2bb882ea0a7052d4fd10e999451f5358dd180d46098cc67289b370a7ef97a7f6b5c88eb375f6e7476ad96a18b1db34e6e545e7817327766d682d70e946ba0194 SHA512 ad962af0c723ce9dfd76e3f7b0a11f2972a7d7f997514e919010dc43c7d6538c30ed9216498c96b026f503c32a73502690426214f45d73107d377880557f6393
 AUX zlib-1.2.11-minizip-drop-crypt-header.patch 997 BLAKE2B a964dfb26d05045507cb2ebf1154b890782d9952288627dd5093eeeaed9265a6041922e9fef378333ad3b9ac2333d692b06db1d6425df25d6062b9fc42ec8c50 SHA512 158c4b711e8afc248cbd55f2057dede18540ad35ec1a47d0cfb0fe9bf10b1507bb1b4525badcc0a8b6505062d838ee4fb2d4ebfbf9c9d1694336a704bc0b690e
 AUX zlib-1.2.12-CRC-buggy-input.patch 1673 BLAKE2B a45b5c36dc4519f785b29981eaa47de7763fe8a1e65593ad9fd18f4d217e0c9108089ff1b12284728193f76a5cd0cdf3e1e98311cf59302f12eca3143ca3b82e SHA512 a5c5915024c5faca090312500b56c4876bc5b1d7c56253c8b5c192ae499f04cce301dc77d69b2674086366842726552f3a25c3962d26f53e9b5942ce5fb26054
+AUX zlib-1.2.12-CVE-2022-37434.patch 2563 BLAKE2B c2aa6275365965ef5c84668372dde46a2b7579d4f87703ca91332f8473ffa8784772ff3d2105696b5c1b65ca07819a66d4e9c1ef0d6894a44fc78702901647e7 SHA512 6ae143b5de553992c1a5460faae2b309f7e9f049c3afdc5ab7f6cad4479e202affa79b09a058f23dd0f24b07c1a52719b2aa921b4209b2ddbe16caafd6df1cbb
 AUX zlib-1.2.12-fix-CC-logic-in-configure.patch 1427 BLAKE2B 7e76e07dc8aef1ee0f38a237a4a37f8c8fa22e1dffe70407781320a325634bc92a0485de7e0de492354672e008f3a689c16087b87c15b1c893f120f5916f906f SHA512 8cdc6fa6754d5d752ae6e59b491cf6f652feb2ea4839d8debf778bbffb0c5dcd1f952a1e7cdb2e01d6e96fe67197db1ad7908c4d9d4f654932cf3deb97cddb16
 AUX zlib-1.2.12-use-LDFLAGS-in-configure.patch 2593 BLAKE2B da920b443437d2f912a3c49c2db7478b19268418f94dd70c083ff44640c71b752f84763392300fc3e843a4025910375c058a0648bef65c5ca0db419297d32be8 SHA512 d884348c96da593e3abc7f14f3eea19369c9105c9814e38012e68c53c01a51e260439d18bc7a2bb121965ad1636c774f6cb701c062eba5e79eca4f199005b859
 DIST zlib-1.2.11-cygwin-gzopen_w.patch 1170 BLAKE2B fe351436716634bd823da8c2811d332327d335d450d89bee85d7713b09dd454fe6aee264b044a41bf3be603aa36d67943ba6c7d8b46470e180e9b639728b5274 SHA512 14cc63a17fbf6afb6c8a8dd0b92df9807b48e0faf09c88f952083f10716ae62be8de2a0e1424b77fb538605b88898b381160521f2872afdda59e12bd27535c5a
@@ -12,4 +13,5 @@ DIST zlib-1.2.7-cygwin-minizip.patch 2626 BLAKE2B 885f1fda877c0b783618b163702fb4
 EBUILD zlib-1.2.11-r4.ebuild 4414 BLAKE2B 28fff60b4ea6e23298dd32bd782c7a174c0c8fac1395f010b3e93769c3de32e7b26cb2a1fdd631c5dafb86d5a2f4f1e87a1833032d2043b629515254eeaccc5f SHA512 eef5a1d3f41a60a672a8432d6ca514d712dbd227c4e74c461193e35482bb47953a905e513f8a67571621e3f68bf12cc201c3a28a6a418f5c8e2b9f3debdc6acb
 EBUILD zlib-1.2.11-r5.ebuild 4501 BLAKE2B a1162467779ba8a5d0d3f23c95fd7afeddd427ab1c351472bcc6d0f40efab1ff989682f3963f3428fe28ca77f20cb5f19520c85a43025211dfd8de5a2917cf9f SHA512 7dd887d89dd54f6833d31e7de5095c36e9d312a2fed601b077119ee37da5ac53b69ae56755eaed578bb44f2026a34dfcf125d107e7dee311b842bdad0b9992ca
 EBUILD zlib-1.2.12-r2.ebuild 5151 BLAKE2B 699857f73789d3c57387e8a383de99dd9f689acf83662ffb73f57ae96b8dab41908d399209923bcf0efd78b185045ecea14712100df31865cb1ea3e33dcc5c4a SHA512 c7786221d8b50043e12c64abb538faeb458514d464eb45268e8c0b4c6c85ff9ac2c21ade5f6cc545f17ff533224ce1321d58925d32ccc517493d68be1a9ce17a
+EBUILD zlib-1.2.12-r3.ebuild 5216 BLAKE2B 089840eb0d2238813632707bd5f614be0c2ecea96cc4aaf4cad9634ca201ee45964c5131d8bbd7de72ed0fc4ff588a0e138f609a806a878cdec14f8208f903e0 SHA512 016c402fda908514e9a61d31b96eb13280addea05fb0f9fadf351e8db394f9ca0fa92b06abbb8e9d999c889d5781bc4d1a47d06945ff7d1c1464716b5bb57abc
 MISC metadata.xml 494 BLAKE2B a4a57a4153aefc189e407bcb8ce84f7c94581cc66967f69097087da7e6ff48d2de683b919fb00445d095c47ef39d31e01590f8c989ce0e5e01474e73ee2a0565 SHA512 a7e0160c127b3c2a6afe99e95992d9dbd017061303759c299ec38800efd6a9e11a35ae850c23c77c09c8833cd9d61ac1267f6becadf9c22437ee35e4304400c9
diff --git a/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch b/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch
new file mode 100644
index 000000000000..1ef3b909e435
--- /dev/null
+++ b/sys-libs/zlib/files/zlib-1.2.12-CVE-2022-37434.patch
@@ -0,0 +1,55 @@
+https://bugs.gentoo.org/863851
+https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
+https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (see https://github.com/curl/curl/issues/9271)
+
+From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Sat, 30 Jul 2022 15:51:11 -0700
+Subject: [PATCH] Fix a bug when getting a gzip header extra field with
+ inflate().
+
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,9 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
++                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
++                        state->head->extra != Z_NULL &&
++                        len < state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+                 copy = state->length;
+                 if (copy > have) copy = have;
+                 if (copy) {
+-                    len = state->head->extra_len - state->length;
+                     if (state->head != Z_NULL &&
+                         state->head->extra != Z_NULL &&
+-                        len < state->head->extra_max) {
++                        (len = state->head->extra_len - state->length) <
++                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+
diff --git a/sys-libs/zlib/zlib-1.2.12-r3.ebuild b/sys-libs/zlib/zlib-1.2.12-r3.ebuild
new file mode 100644
index 000000000000..1117652b5367
--- /dev/null
+++ b/sys-libs/zlib/zlib-1.2.12-r3.ebuild
@@ -0,0 +1,199 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Worth keeping an eye on 'develop' branch upstream for possible backports.
+AUTOTOOLS_AUTO_DEPEND="no"
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/madler.asc
+inherit autotools multilib-minimal usr-ldscript verify-sig
+
+CYGWINPATCHES=(
+	"https://github.com/cygwinports/zlib/raw/22a3462cae33a82ad966ea0a7d6cbe8fc1368fec/1.2.11-gzopen_w.patch -> ${PN}-1.2.11-cygwin-gzopen_w.patch"
+	"https://github.com/cygwinports/zlib/raw/22a3462cae33a82ad966ea0a7d6cbe8fc1368fec/1.2.7-minizip-cygwin.patch -> ${PN}-1.2.7-cygwin-minizip.patch"
+)
+
+DESCRIPTION="Standard (de)compression library"
+HOMEPAGE="https://zlib.net/"
+SRC_URI="https://zlib.net/${P}.tar.gz
+	https://zlib.net/fossils/${P}.tar.gz
+	https://www.gzip.org/zlib/${P}.tar.gz
+	https://www.zlib.net/current/beta/${P}.tar.gz
+	verify-sig? ( https://zlib.net/${P}.tar.gz.asc )
+	elibc_Cygwin? ( ${CYGWINPATCHES[*]} )"
+
+LICENSE="ZLIB"
+SLOT="0/1" # subslot = SONAME
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+IUSE="minizip static-libs"
+
+RDEPEND="!sys-libs/zlib-ng[compat]"
+DEPEND="${RDEPEND}"
+BDEPEND="minizip? ( ${AUTOTOOLS_DEPEND} )
+	verify-sig? ( sec-keys/openpgp-keys-madler )"
+
+PATCHES=(
+	# Don't install unexpected & unused crypt.h header (which would clash with other pkgs)
+	# Pending upstream. bug #658536
+	"${FILESDIR}"/${PN}-1.2.11-minizip-drop-crypt-header.patch
+
+	# Respect AR, RANLIB, NM during build. Pending upstream. bug #831628
+	"${FILESDIR}"/${PN}-1.2.11-configure-fix-AR-RANLIB-NM-detection.patch
+
+	# Respect LDFLAGS during configure tests. Pending upstream
+	"${FILESDIR}"/${PN}-1.2.12-use-LDFLAGS-in-configure.patch
+
+	# Fix broken CC logic
+	"${FILESDIR}"/${P}-fix-CC-logic-in-configure.patch
+
+	# Backport for Java (and others), bug #836370
+	"${FILESDIR}"/${P}-CRC-buggy-input.patch
+
+	# bug #863851
+	"${FILESDIR}"/${P}-CVE-2022-37434.patch
+)
+
+src_prepare() {
+	default
+
+	if use elibc_Cygwin ; then
+		local p
+		for p in "${CYGWINPATCHES[@]}" ; do
+			# Strip out the "... -> " from the array
+			eapply -p2 "${DISTDIR}/${p#*> }"
+		done
+	fi
+
+	if use minizip ; then
+		cd contrib/minizip || die
+		eautoreconf
+	fi
+
+	case ${CHOST} in
+		*-cygwin*)
+			# Do not use _wopen, it's a mingw-only symbol
+			sed -i -e '/define WIDECHAR/d' "${S}"/gzguts.h || die
+
+			# zlib1.dll is the mingw name, need cygz.dll
+			# cygz.dll is loaded by toolchain, put into subdir
+			sed -i -e 's|zlib1.dll|win32/cygz.dll|' win32/Makefile.gcc || die
+
+			;;
+	esac
+
+	case ${CHOST} in
+		*-mingw*|mingw*|*-cygwin*)
+			# Uses preconfigured Makefile rather than configure script
+			multilib_copy_sources
+
+			;;
+	esac
+}
+
+echoit() { echo "$@"; "$@"; }
+
+multilib_src_configure() {
+	case ${CHOST} in
+		*-mingw*|mingw*|*-cygwin*)
+			;;
+
+		*)
+			# bug #347167
+			local uname=$("${BROOT}"/usr/share/gnuconfig/config.sub "${CHOST}" | cut -d- -f3)
+
+			local myconf=(
+				--shared
+				--prefix="${EPREFIX}/usr"
+				--libdir="${EPREFIX}/usr/$(get_libdir)"
+				${uname:+--uname=${uname}}
+			)
+
+			# Not an autoconf script, so can't use econf
+			echoit "${S}"/configure "${myconf[@]}" || die
+
+			;;
+	esac
+
+	if use minizip ; then
+		local minizipdir="contrib/minizip"
+		mkdir -p "${BUILD_DIR}/${minizipdir}" || die
+
+		cd ${minizipdir} || die
+		ECONF_SOURCE="${S}/${minizipdir}" econf $(use_enable static-libs static)
+	fi
+}
+
+multilib_src_compile() {
+	case ${CHOST} in
+		*-mingw*|mingw*|*-cygwin*)
+			emake -f win32/Makefile.gcc STRIP=true PREFIX=${CHOST}-
+			sed \
+				-e 's|@prefix@|'"${EPREFIX}"'/usr|g' \
+				-e 's|@exec_prefix@|${prefix}|g' \
+				-e 's|@libdir@|${exec_prefix}/'$(get_libdir)'|g' \
+				-e 's|@sharedlibdir@|${exec_prefix}/'$(get_libdir)'|g' \
+				-e 's|@includedir@|${prefix}/include|g' \
+				-e 's|@VERSION@|'${PV}'|g' \
+				zlib.pc.in > zlib.pc || die
+			;;
+
+		*)
+			emake
+
+			;;
+	esac
+
+	use minizip && emake -C contrib/minizip
+}
+
+sed_macros() {
+	# Clean up namespace a little, bug #383179
+	# We do it here so we only have to tweak 2 files
+	sed -i -r 's:\<(O[FN])\>:_Z_\1:g' "$@" || die
+}
+
+multilib_src_install() {
+	case ${CHOST} in
+		*-mingw*|mingw*|*-cygwin*)
+			emake -f win32/Makefile.gcc install \
+				BINARY_PATH="${ED}/usr/bin" \
+				LIBRARY_PATH="${ED}/usr/$(get_libdir)" \
+				INCLUDE_PATH="${ED}/usr/include" \
+				SHARED_MODE=1
+
+			# Overwrites zlib.pc created from win32/Makefile.gcc, bug #620136
+			insinto /usr/$(get_libdir)/pkgconfig
+			doins zlib.pc
+
+			;;
+
+		*)
+			emake install DESTDIR="${D}" LDCONFIG=:
+			gen_usr_ldscript -a z
+
+			;;
+	esac
+
+	sed_macros "${ED}"/usr/include/*.h
+
+	if use minizip ; then
+		emake -C contrib/minizip install DESTDIR="${D}"
+		sed_macros "${ED}"/usr/include/minizip/*.h
+	fi
+
+	if use minizip; then
+		# This might not exist if slibtool is used.
+		# bug #816756
+		rm -f "${ED}"/usr/$(get_libdir)/libminizip.la || die
+	fi
+
+	if ! use static-libs ; then
+		# bug #419645
+		rm "${ED}"/usr/$(get_libdir)/libz.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc FAQ README ChangeLog doc/*.txt
+	use minizip && dodoc contrib/minizip/*.txt
+}