apr: Security fix for CVE-2021-35940

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (From OE-Core rev: d52b78c75323fb254b5d0216f9183573b353abd3) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2021-09-10 19:59:17 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-11 22:39:20 +0100
commit: 54a8d36902d6a6544cbc3c49a3d5325d331c428f (patch)
tree: f99a0740995dd33a12e8647e0185acc85d0311b0
parent: 9886ef691aa117d67e4342c6a5e3f79f6a05f8d5 (diff)
download: poky-54a8d36902d6a6544cbc3c49a3d5325d331c428f.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
new file mode 100644
index 0000000000..00befdacee
--- /dev/null
+++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+The fix was merged back to 1.7.x in r1891198.
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+Upstream-Status: Backport
+CVE: CVE-2021-35940
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: time/unix/time.c
+===================================================================
+--- a/time/unix/time.c  (revision 1891197)
+++ b/time/unix/time.c  (revision 1891198)
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
+Index: time/win32/time.c
+===================================================================
+--- a/time/win32/time.c (revision 1891197)
+++ b/time/win32/time.c (revision 1891198)
+@@ -54,6 +54,9 @@
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
+    if (tm->wMonth < 1 || tm->wMonth > 12)
+        return APR_EBADDATE;
+
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb
index 08d9edf3c2..5f8fd6a461 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
           file://libtoolize_check.patch \
           file://0001-Add-option-to-disable-timed-dependant-tests.patch \
           file://autoconf270.patch \
+           file://CVE-2021-35940.patch \
           "
 SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"
author	Armin Kuster <akuster808@gmail.com>	2021-09-10 19:59:17 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-11 22:39:20 +0100
commit	54a8d36902d6a6544cbc3c49a3d5325d331c428f (patch)
tree	f99a0740995dd33a12e8647e0185acc85d0311b0
parent	9886ef691aa117d67e4342c6a5e3f79f6a05f8d5 (diff)
download	poky-54a8d36902d6a6544cbc3c49a3d5325d331c428f.tar.gz

diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch new file mode 100644 index 0000000000..00befdacee --- /dev/null +++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
		1
		2	SECURITY: CVE-2021-35940 (cve.mitre.org)
		3
		4	Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
		5	was addressed in 1.6.x in 1.6.3 and later via r1807976.
		6
		7	The fix was merged back to 1.7.x in r1891198.
		8
		9	Since this was a regression in 1.7.0, a new CVE name has been assigned
		10	to track this, CVE-2021-35940.
		11
		12	Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
		13
		14	https://svn.apache.org/viewvc?view=revision&revision=1891198
		15
		16	Upstream-Status: Backport
		17	CVE: CVE-2021-35940
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20
		21	Index: time/unix/time.c
		22	===================================================================
		23	--- a/time/unix/time.c (revision 1891197)
		24	+++ b/time/unix/time.c (revision 1891198)
		25	@@ -142,6 +142,9 @@
		26	static const int dayoffset[12] =
		27	{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
		28
		29	+ if (xt->tm_mon < 0 \|\| xt->tm_mon >= 12)
		30	+ return APR_EBADDATE;
		31	+
		32	/* shift new year to 1st March in order to make leap year calc easy */
		33
		34	if (xt->tm_mon < 2)
		35	Index: time/win32/time.c
		36	===================================================================
		37	--- a/time/win32/time.c (revision 1891197)
		38	+++ b/time/win32/time.c (revision 1891198)
		39	@@ -54,6 +54,9 @@
		40	static const int dayoffset[12] =
		41	{0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
		42
		43	+ if (tm->wMonth < 1 \|\| tm->wMonth > 12)
		44	+ return APR_EBADDATE;
		45	+
		46	/* Note; the caller is responsible for filling in detailed tm_usec,
		47	* tm_gmtoff and tm_isdst data when applicable.
		48	*/
		49	@@ -228,6 +231,9 @@
		50	static const int dayoffset[12] =
		51	{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
		52
		53	+ if (xt->tm_mon < 0 \|\| xt->tm_mon >= 12)
		54	+ return APR_EBADDATE;
		55	+
		56	/* shift new year to 1st March in order to make leap year calc easy */
		57
		58	if (xt->tm_mon < 2)


diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb index 08d9edf3c2..5f8fd6a461 100644 --- a/meta/recipes-support/apr/apr_1.7.0.bb +++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -24,6 +24,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
24	file://libtoolize_check.patch \	24	file://libtoolize_check.patch \
25	file://0001-Add-option-to-disable-timed-dependant-tests.patch \	25	file://0001-Add-option-to-disable-timed-dependant-tests.patch \
26	file://autoconf270.patch \	26	file://autoconf270.patch \
		27	file://CVE-2021-35940.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"	30	SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"