apr: Security fix for CVE-2021-35940

Source: https://dist.apache.org MR: 112793 Type: Security Fix Disposition: Backport from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch ChangeID: c8247210204ffcc7d1425e3d60f077ad3dd54ebc Description: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (From OE-Core rev: 315262830bfe2bc8b2a9259541bb3a0bc83a2cdd) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-09-10 20:00:01 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-30 00:02:22 +0100
commit: eb3e28fa18a882982c6aaee9ac7a0090e746735d (patch)
tree: 65d629d0b0576ad87879c9d40208889ea69f15bf
parent: 60383990481408e0b4c131102aa9e2905ac5d1d1 (diff)
download: poky-eb3e28fa18a882982c6aaee9ac7a0090e746735d.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
new file mode 100644
index 0000000000..00befdacee
--- /dev/null
+++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+The fix was merged back to 1.7.x in r1891198.
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+Upstream-Status: Backport
+CVE: CVE-2021-35940
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: time/unix/time.c
+===================================================================
+--- a/time/unix/time.c  (revision 1891197)
+++ b/time/unix/time.c  (revision 1891198)
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
+Index: time/win32/time.c
+===================================================================
+--- a/time/win32/time.c (revision 1891197)
+++ b/time/win32/time.c (revision 1891198)
+@@ -54,6 +54,9 @@
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
+    if (tm->wMonth < 1 || tm->wMonth > 12)
+        return APR_EBADDATE;
+
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb
index 432fa3255c..92cc61a864 100644
--- a/meta/recipes-support/apr/apr_1.7.0.bb
+++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
           file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
           file://libtoolize_check.patch \
           file://0001-Add-option-to-disable-timed-dependant-tests.patch \
+           file://CVE-2021-35940.patch \
           "
 SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"
author	Armin Kuster <akuster@mvista.com>	2021-09-10 20:00:01 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-30 00:02:22 +0100
commit	eb3e28fa18a882982c6aaee9ac7a0090e746735d (patch)
tree	65d629d0b0576ad87879c9d40208889ea69f15bf
parent	60383990481408e0b4c131102aa9e2905ac5d1d1 (diff)
download	poky-eb3e28fa18a882982c6aaee9ac7a0090e746735d.tar.gz

diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch new file mode 100644 index 0000000000..00befdacee --- /dev/null +++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch
@@ -0,0 +1,58 @@
		1
		2	SECURITY: CVE-2021-35940 (cve.mitre.org)
		3
		4	Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
		5	was addressed in 1.6.x in 1.6.3 and later via r1807976.
		6
		7	The fix was merged back to 1.7.x in r1891198.
		8
		9	Since this was a regression in 1.7.0, a new CVE name has been assigned
		10	to track this, CVE-2021-35940.
		11
		12	Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
		13
		14	https://svn.apache.org/viewvc?view=revision&revision=1891198
		15
		16	Upstream-Status: Backport
		17	CVE: CVE-2021-35940
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20
		21	Index: time/unix/time.c
		22	===================================================================
		23	--- a/time/unix/time.c (revision 1891197)
		24	+++ b/time/unix/time.c (revision 1891198)
		25	@@ -142,6 +142,9 @@
		26	static const int dayoffset[12] =
		27	{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
		28
		29	+ if (xt->tm_mon < 0 \|\| xt->tm_mon >= 12)
		30	+ return APR_EBADDATE;
		31	+
		32	/* shift new year to 1st March in order to make leap year calc easy */
		33
		34	if (xt->tm_mon < 2)
		35	Index: time/win32/time.c
		36	===================================================================
		37	--- a/time/win32/time.c (revision 1891197)
		38	+++ b/time/win32/time.c (revision 1891198)
		39	@@ -54,6 +54,9 @@
		40	static const int dayoffset[12] =
		41	{0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
		42
		43	+ if (tm->wMonth < 1 \|\| tm->wMonth > 12)
		44	+ return APR_EBADDATE;
		45	+
		46	/* Note; the caller is responsible for filling in detailed tm_usec,
		47	* tm_gmtoff and tm_isdst data when applicable.
		48	*/
		49	@@ -228,6 +231,9 @@
		50	static const int dayoffset[12] =
		51	{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
		52
		53	+ if (xt->tm_mon < 0 \|\| xt->tm_mon >= 12)
		54	+ return APR_EBADDATE;
		55	+
		56	/* shift new year to 1st March in order to make leap year calc easy */
		57
		58	if (xt->tm_mon < 2)


diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb index 432fa3255c..92cc61a864 100644 --- a/meta/recipes-support/apr/apr_1.7.0.bb +++ b/meta/recipes-support/apr/apr_1.7.0.bb
@@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
23	file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \	23	file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
24	file://libtoolize_check.patch \	24	file://libtoolize_check.patch \
25	file://0001-Add-option-to-disable-timed-dependant-tests.patch \	25	file://0001-Add-option-to-disable-timed-dependant-tests.patch \
		26	file://CVE-2021-35940.patch \
26	"	27	"
27		28
28	SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"	29	SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"