CVS commit: pkgsrc/devel/apr

["Havard Eidnes" <he%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   he
Date:           Sun Nov 28 12:57:05 UTC 2021

Modified Files:
        pkgsrc/devel/apr: Makefile distinfo
Added Files:
        pkgsrc/devel/apr/patches: patch-time_unix_time.c
            patch-time_win32_time.c

Log Message:
Add a patch to deal with CVE-2021-35940.

An out-of-bounds array read in the apr_time_exp*() functions was
fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613).
The fix for this issue was not carried forward to the APR 1.7.x
branch, and hence version 1.7.0 regressed compared to 1.6.3 and is
vulnerable to the same issue.

https://svn.apache.org/viewvc?view=revision&revision=1891198

Bump PKGREVISION.


To generate a diff of this commit:
cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/apr/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/apr/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/devel/apr/patches/patch-time_unix_time.c \
    pkgsrc/devel/apr/patches/patch-time_win32_time.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/apr/Makefile
diff -u pkgsrc/devel/apr/Makefile:1.82 pkgsrc/devel/apr/Makefile:1.83
--- pkgsrc/devel/apr/Makefile:1.82      Thu Feb 20 06:25:28 2020
+++ pkgsrc/devel/apr/Makefile   Sun Nov 28 12:57:05 2021
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.82 2020/02/20 06:25:28 rin Exp $
+# $NetBSD: Makefile,v 1.83 2021/11/28 12:57:05 he Exp $
 #
 # Take care, changelogs often include "PR 12345" strings
 # which cause GNATS indigestion.
 
 DISTNAME=      apr-1.7.0
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    devel
 MASTER_SITES=  ${MASTER_SITE_APACHE:=apr/}
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/devel/apr/distinfo
diff -u pkgsrc/devel/apr/distinfo:1.48 pkgsrc/devel/apr/distinfo:1.49
--- pkgsrc/devel/apr/distinfo:1.48      Tue Oct 26 10:14:15 2021
+++ pkgsrc/devel/apr/distinfo   Sun Nov 28 12:57:05 2021
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2021/10/26 10:14:15 nia Exp $
+$NetBSD: distinfo,v 1.49 2021/11/28 12:57:05 he Exp $
 
 BLAKE2s (apr-1.7.0.tar.bz2) = f6126e30d08bc9dd7333bb9ee5814d606ae3b8f26f31ac6132bc918c22e57de0
 SHA512 (apr-1.7.0.tar.bz2) = 3dc42d5caf17aab16f5c154080f020d5aed761e22db4c5f6506917f6bfd2bf8becfb40af919042bd4ce1077d5de74aa666f5edfba7f275efba78e8893c115148
@@ -7,3 +7,5 @@ SHA1 (patch-atomic_unix_builtins.c) = e9
 SHA1 (patch-atomic_unix_builtins64.c) = e24316e93dae12efc1cbfc3f444e8622df5e5833
 SHA1 (patch-include_apr__general.h) = bff357eee11218a6c53769278fc3f9094b062fdf
 SHA1 (patch-include_arch_unix_apr__arch__atomic.h) = 6f226add54f5966a50985441f6903853a0728c88
+SHA1 (patch-time_unix_time.c) = d3da97cb4b6c7b6416fecb49006470db46084276
+SHA1 (patch-time_win32_time.c) = aee61377826292c238352241a304eb6905a1b2dc

Added files:

Index: pkgsrc/devel/apr/patches/patch-time_unix_time.c
diff -u /dev/null pkgsrc/devel/apr/patches/patch-time_unix_time.c:1.1
--- /dev/null   Sun Nov 28 12:57:05 2021
+++ pkgsrc/devel/apr/patches/patch-time_unix_time.c     Sun Nov 28 12:57:05 2021
@@ -0,0 +1,30 @@
+$NetBSD: patch-time_unix_time.c,v 1.1 2021/11/28 12:57:05 he Exp $
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Index: time/unix/time.c
+===================================================================
+--- time/unix/time.c   (revision 1891197)
++++ time/unix/time.c   (revision 1891198)
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
Index: pkgsrc/devel/apr/patches/patch-time_win32_time.c
diff -u /dev/null pkgsrc/devel/apr/patches/patch-time_win32_time.c:1.1
--- /dev/null   Sun Nov 28 12:57:05 2021
+++ pkgsrc/devel/apr/patches/patch-time_win32_time.c    Sun Nov 28 12:57:05 2021
@@ -0,0 +1,39 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Index: time/win32/time.c
+===================================================================
+--- time/win32/time.c  (revision 1891197)
++++ time/win32/time.c  (revision 1891198)
+@@ -54,6 +54,9 @@
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
++    if (tm->wMonth < 1 || tm->wMonth > 12)
++        return APR_EBADDATE;
++
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)