Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. [ Impact ] Medium vulnerability [ Tests ] No change in test (test launched only during build, no autopkgtest here) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] This patch just adds some little checks (a month should not be outside of [1-12] Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 2331e3e..355b51a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +apr (1.7.0-6+deb11u1) bullseye; urgency=medium + + * Team upload + + [ Salvatore Bonaccorso ] + * Out-of-bounds array dereference in apr_time_exp*() functions + (CVE-2021-35940) (Closes: #992789) + + -- Yadd <y...@debian.org> Tue, 24 Aug 2021 09:18:26 +0200 + apr (1.7.0-6) unstable; urgency=medium [ John Paul Adrian Glaubitz ] diff --git a/debian/patches/CVE-2021-35940.patch b/debian/patches/CVE-2021-35940.patch new file mode 100644 index 0000000..6f215fc --- /dev/null +++ b/debian/patches/CVE-2021-35940.patch @@ -0,0 +1,47 @@ +Description: SECURITY: CVE-2021-35940 (cve.mitre.org) + Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though + was addressed in 1.6.x in 1.6.3 and later via r1807976. + . + The fix was merged back to 1.7.x in r1891198. + . + Since this was a regression in 1.7.0, a new CVE name has been assigned + to track this, CVE-2021-35940. +Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1891198 +Bug-Debian: https://bugs.debian.org/992789 +Forwarded: not-needed +Last-Update: 2021-08-20 + +--- a/time/unix/time.c ++++ b/time/unix/time.c +@@ -142,6 +142,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) +--- a/time/win32/time.c ++++ b/time/win32/time.c +@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t + static const int dayoffset[12] = + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + ++ if (tm->wMonth < 1 || tm->wMonth > 12) ++ return APR_EBADDATE; ++ + /* Note; the caller is responsible for filling in detailed tm_usec, + * tm_gmtoff and tm_isdst data when applicable. + */ +@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) diff --git a/debian/patches/series b/debian/patches/series index 6d8be19..4003573 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,4 @@ use_fcntl_locking.patch cross.patch python3-hashbang.patch generic-64bit-atomics.patch +CVE-2021-35940.patch
