#15453 closed enhancement (fixed)
Patch APR against CVE-2021-35940
| Reported by: | Douglas R. Reno | Owned by: | pierre |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I received the following mail from oss-security this morning:
Description:
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Credit:
The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue.
References:
http://svn.apache.org/viewvc?view=revision&revision=1891198 http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
It appears that a security vulnerability from 2017 was left unpatched in 1.7.0, while it was fixed in 1.6.3.
We may be able to do with a sed since only one file is modified for UNIX systems:
Index: time/unix/time.c
===================================================================
--- time/unix/time.c (revision 1891197)
+++ time/unix/time.c (revision 1891198)
@@ -142,6 +142,9 @@
static const int dayoffset[12] =
{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+ return APR_EBADDATE;
+
/* shift new year to 1st March in order to make leap year calc easy */
if (xt->tm_mon < 2)
Change History (5)
comment:1 by , 3 years ago
| Milestone: | 11.1 → 11.0 |
|---|
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 3 years ago
The following sed is not very nice, but does the trick:
sed '/{306/a \
\
if (xt->tm_mon < 0 || xt->tm_mon >= 12) \
return APR_EBADDATE;' -i time/unix/time.c
NB: 306 is not a line number
comment:4 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit a541e08052de257f233a34bae776d373a5a30012
comment:5 by , 3 years ago
How about:
sed -e "/shift/i \
\ if (xt->tm_mon < 0 || xt->tm_mon >= 12) return APR_EBADDATE;\n" \
-i time/unix/time.c
There is only one "shift" in the file right below where the added line is needed. The second backslash ensures the leading spaces are not ignored.
Promote back to 11.0.