Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#15453 closed enhancement (fixed)

Patch APR against CVE-2021-35940

Reported by: Douglas R. Reno Owned by: pierre
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:


I received the following mail from oss-security this morning:


An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.


The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue.


It appears that a security vulnerability from 2017 was left unpatched in 1.7.0, while it was fixed in 1.6.3.

We may be able to do with a sed since only one file is modified for UNIX systems:

Index: time/unix/time.c
--- time/unix/time.c	(revision 1891197)
+++ time/unix/time.c	(revision 1891198)
@@ -142,6 +142,9 @@
     static const int dayoffset[12] =
     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
     /* shift new year to 1st March in order to make leap year calc easy */
     if (xt->tm_mon < 2)

Change History (5)

comment:1 by Douglas R. Reno, 3 years ago

Milestone: 11.111.0

Promote back to 11.0.

comment:2 by pierre, 3 years ago

Owner: changed from blfs-book to pierre
Status: newassigned

comment:3 by pierre, 3 years ago

The following sed is not very nice, but does the trick:

sed '/{306/a \
    if (xt->tm_mon < 0 || xt->tm_mon >= 12) \
        return APR_EBADDATE;' -i time/unix/time.c

NB: 306 is not a line number

comment:4 by pierre, 3 years ago

Resolution: fixed
Status: assignedclosed

comment:5 by Bruce Dubbs, 3 years ago

How about:

sed -e "/shift/i \
\    if (xt->tm_mon < 0 || xt->tm_mon >= 12) return APR_EBADDATE;\n" \
    -i time/unix/time.c

There is only one "shift" in the file right below where the added line is needed. The second backslash ensures the leading spaces are not ignored.

Note: See TracTickets for help on using tickets.