[Buildroot] [PATCH 1/1] package/apr: fix CVE-2021-35940
Arnout Vandecappelle
arnout at mind.be
Mon Apr 4 17:40:13 UTC 2022
On 31/03/2022 23:00, Fabrice Fontaine wrote:
> An out-of-bounds array read in the apr_time_exp*() functions was fixed
> in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
> for this issue was not carried forward to the APR 1.7.x branch, and
> hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the
> same issue.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Applied to master, thanks.
Regards,
Arnout
> ---
> .../apr/0004-apr-1.7.0-CVE-2021-35940.patch | 57 +++++++++++++++++++
> package/apr/apr.mk | 3 +
> 2 files changed, 60 insertions(+)
> create mode 100644 package/apr/0004-apr-1.7.0-CVE-2021-35940.patch
>
> diff --git a/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch b/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch
> new file mode 100644
> index 0000000000..b065a3330a
> --- /dev/null
> +++ b/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch
> @@ -0,0 +1,57 @@
> +
> +SECURITY: CVE-2021-35940 (cve.mitre.org)
> +
> +Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
> +was addressed in 1.6.x in 1.6.3 and later via r1807976.
> +
> +The fix was merged back to 1.7.x in r1891198.
> +
> +Since this was a regression in 1.7.0, a new CVE name has been assigned
> +to track this, CVE-2021-35940.
> +
> +Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
> +
> +https://svn.apache.org/viewvc?view=revision&revision=1891198
> +
> +[Retrieved from:
> +https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +
> +Index: ./time/unix/time.c
> +===================================================================
> +--- ./time/unix/time.c (revision 1891197)
> ++++ ./time/unix/time.c (revision 1891198)
> +@@ -142,6 +142,9 @@
> + static const int dayoffset[12] =
> + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
> +
> ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
> ++ return APR_EBADDATE;
> ++
> + /* shift new year to 1st March in order to make leap year calc easy */
> +
> + if (xt->tm_mon < 2)
> +Index: ./time/win32/time.c
> +===================================================================
> +--- ./time/win32/time.c (revision 1891197)
> ++++ ./time/win32/time.c (revision 1891198)
> +@@ -54,6 +54,9 @@
> + static const int dayoffset[12] =
> + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
> +
> ++ if (tm->wMonth < 1 || tm->wMonth > 12)
> ++ return APR_EBADDATE;
> ++
> + /* Note; the caller is responsible for filling in detailed tm_usec,
> + * tm_gmtoff and tm_isdst data when applicable.
> + */
> +@@ -228,6 +231,9 @@
> + static const int dayoffset[12] =
> + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
> +
> ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
> ++ return APR_EBADDATE;
> ++
> + /* shift new year to 1st March in order to make leap year calc easy */
> +
> + if (xt->tm_mon < 2)
> diff --git a/package/apr/apr.mk b/package/apr/apr.mk
> index c45829aacc..74129ed77e 100644
> --- a/package/apr/apr.mk
> +++ b/package/apr/apr.mk
> @@ -16,6 +16,9 @@ APR_INSTALL_STAGING = YES
> # so we need to autoreconf:
> APR_AUTORECONF = YES
>
> +# 0004-apr-1.7.0-CVE-2021-35940.patch
> +APR_IGNORE_CVES += CVE-2021-35940
> +
> # avoid apr_hints.m4 by setting apr_preload_done=yes and set
> # the needed CFLAGS on our own (avoids '-D_REENTRANT' in case
> # not supported by toolchain and subsequent configure failure)
More information about the buildroot
mailing list