Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#15453 closed enhancement (fixed)

Patch APR against CVE-2021-35940

Reported by: Douglas R. Reno Owned by: pierre
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

I received the following mail from oss-security this morning:


Description:

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

Credit:

The Apache Portable Runtime project would like to thank Iveta Cesalova (Red Hat) for reporting this issue.

References:

http://svn.apache.org/viewvc?view=revision&revision=1891198 http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch


It appears that a security vulnerability from 2017 was left unpatched in 1.7.0, while it was fixed in 1.6.3.

We may be able to do with a sed since only one file is modified for UNIX systems:

Index: time/unix/time.c
===================================================================
--- time/unix/time.c	(revision 1891197)
+++ time/unix/time.c	(revision 1891198)
@@ -142,6 +142,9 @@
     static const int dayoffset[12] =
     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
     /* shift new year to 1st March in order to make leap year calc easy */
 
     if (xt->tm_mon < 2)

Change History (5)

comment:1 by Douglas R. Reno, 3 months ago

Milestone: 11.111.0

Promote back to 11.0.

comment:2 by pierre, 3 months ago

Owner: changed from blfs-book to pierre
Status: newassigned

comment:3 by pierre, 3 months ago

The following sed is not very nice, but does the trick:

sed '/{306/a \
\
    if (xt->tm_mon < 0 || xt->tm_mon >= 12) \
        return APR_EBADDATE;' -i time/unix/time.c

NB: 306 is not a line number

comment:4 by pierre, 3 months ago

Resolution: fixed
Status: assignedclosed

comment:5 by Bruce Dubbs, 3 months ago

How about:

sed -e "/shift/i \
\    if (xt->tm_mon < 0 || xt->tm_mon >= 12) return APR_EBADDATE;\n" \
    -i time/unix/time.c

There is only one "shift" in the file right below where the added line is needed. The second backslash ensures the leading spaces are not ignored.

Note: See TracTickets for help on using tickets.