[pkgsrc/trunk]: pkgsrc/devel/apr Add a patch to deal with CVE-2021-35940.

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/devel/apr Add a patch to deal with CVE-2021-35940.
From: he <he%pkgsrc.org@localhost>
Date: Sun, 28 Nov 2021 14:02:39 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/6aa61afccdb7
branches:  trunk
changeset: 770267:6aa61afccdb7
user:      he <he%pkgsrc.org@localhost>
date:      Sun Nov 28 12:57:05 2021 +0000

description:
Add a patch to deal with CVE-2021-35940.

An out-of-bounds array read in the apr_time_exp*() functions was
fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613).
The fix for this issue was not carried forward to the APR 1.7.x
branch, and hence version 1.7.0 regressed compared to 1.6.3 and is
vulnerable to the same issue.

https://svn.apache.org/viewvc?view=revision&revision=1891198

Bump PKGREVISION.

diffstat:

 devel/apr/Makefile                        |   4 +-
 devel/apr/distinfo                        |   4 ++-
 devel/apr/patches/patch-time_unix_time.c  |  30 +++++++++++++++++++++++
 devel/apr/patches/patch-time_win32_time.c |  39 +++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 3 deletions(-)

diffs (108 lines):

diff -r ccedf1c74801 -r 6aa61afccdb7 devel/apr/Makefile
--- a/devel/apr/Makefile        Sun Nov 28 11:44:13 2021 +0000
+++ b/devel/apr/Makefile        Sun Nov 28 12:57:05 2021 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.82 2020/02/20 06:25:28 rin Exp $
+# $NetBSD: Makefile,v 1.83 2021/11/28 12:57:05 he Exp $
 #
 # Take care, changelogs often include "PR 12345" strings
 # which cause GNATS indigestion.
 
 DISTNAME=      apr-1.7.0
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_APACHE:=apr/}
 EXTRACT_SUFX=  .tar.bz2
diff -r ccedf1c74801 -r 6aa61afccdb7 devel/apr/distinfo
--- a/devel/apr/distinfo        Sun Nov 28 11:44:13 2021 +0000
+++ b/devel/apr/distinfo        Sun Nov 28 12:57:05 2021 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2021/10/26 10:14:15 nia Exp $
+$NetBSD: distinfo,v 1.49 2021/11/28 12:57:05 he Exp $
 
 BLAKE2s (apr-1.7.0.tar.bz2) = f6126e30d08bc9dd7333bb9ee5814d606ae3b8f26f31ac6132bc918c22e57de0
 SHA512 (apr-1.7.0.tar.bz2) = 3dc42d5caf17aab16f5c154080f020d5aed761e22db4c5f6506917f6bfd2bf8becfb40af919042bd4ce1077d5de74aa666f5edfba7f275efba78e8893c115148
@@ -7,3 +7,5 @@
 SHA1 (patch-atomic_unix_builtins64.c) = e24316e93dae12efc1cbfc3f444e8622df5e5833
 SHA1 (patch-include_apr__general.h) = bff357eee11218a6c53769278fc3f9094b062fdf
 SHA1 (patch-include_arch_unix_apr__arch__atomic.h) = 6f226add54f5966a50985441f6903853a0728c88
+SHA1 (patch-time_unix_time.c) = d3da97cb4b6c7b6416fecb49006470db46084276
+SHA1 (patch-time_win32_time.c) = aee61377826292c238352241a304eb6905a1b2dc
diff -r ccedf1c74801 -r 6aa61afccdb7 devel/apr/patches/patch-time_unix_time.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/apr/patches/patch-time_unix_time.c  Sun Nov 28 12:57:05 2021 +0000
@@ -0,0 +1,30 @@
+$NetBSD: patch-time_unix_time.c,v 1.1 2021/11/28 12:57:05 he Exp $
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Index: time/unix/time.c
+===================================================================
+--- time/unix/time.c   (revision 1891197)
++++ time/unix/time.c   (revision 1891198)
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
diff -r ccedf1c74801 -r 6aa61afccdb7 devel/apr/patches/patch-time_win32_time.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/devel/apr/patches/patch-time_win32_time.c Sun Nov 28 12:57:05 2021 +0000
@@ -0,0 +1,39 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Index: time/win32/time.c
+===================================================================
+--- time/win32/time.c  (revision 1891197)
++++ time/win32/time.c  (revision 1891198)
+@@ -54,6 +54,9 @@
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
++    if (tm->wMonth < 1 || tm->wMonth > 12)
++        return APR_EBADDATE;
++
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)

Prev by Date: [pkgsrc/trunk]: pkgsrc/doc Note update of devel/apr to 1.7.0nb2.
Next by Date: [pkgsrc/trunk]: pkgsrc/lang Add rust-src.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc Note update of devel/apr to 1.7.0nb2.
Next by Thread: [pkgsrc/trunk]: pkgsrc/lang Add rust-src.
Indexes:

Home | Main Index | Thread Index | Old Index