apr-1.7.2

[Douglas R. Reno]

New point version

Contains a security fix for CVE-2022-24963, which is an out-of-bounds write in the apr_encode family of functions. It seems to be occurring due to an integer overflow or wraparound

[Tim Tassonis]

Fixed in commit 940d6093e2.

[Bruce Dubbs]

Now version 1.7.2.

[Tim Tassonis]

Changes for APR 1.7.1

*) SECURITY: CVE-2022-24963 (cve.mitre.org)

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer.

*) SECURITY: CVE-2022-28331 (cve.mitre.org)

On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow.

*) SECURITY: CVE-2021-35940 (cve.mitre.org)

Restore fix for out-of-bounds array dereference in apr_time_exp*() functions. (This issue was addressed as CVE-2017-12613 in APR 1.6.3 and later 1.6.x releases, but was missing in 1.7.0.) [Stefan Sperling]

*) configure: Fix various build issues for compilers enforcing

strict C99 compliance. PR 66396, 66408, 66426. [Florian Weimer <fweimer redhat.com>, Sam James <sam gentoo.org>]

*) apr_atomic_read64(): Fix non-atomic read on 32-bit Windows [Ivan Zhakov]

*) configure: Prefer posix name-based shared memory over SysV IPC.

[Jim Jagielski]

*) configure: Add --disable-sctp argument to forcibly disable SCTP

support, or --enable-sctp which fails if SCTP support is not detected. [Lubos Uhliarik <luhliari redhat.com>, Joe Orton]

*) Fix handle leak in the Win32 apr_uid_current implementation.

PR 61165. [Ivan Zhakov]

*) Add error handling for lseek() failures in apr_file_write() and

apr_file_writev(). [Joe Orton]

*) Don't silently set APR_FOPEN_NOCLEANUP for apr_file_mktemp() created file

to avoid a fd and inode leak when/if later passed to apr_file_setaside(). [Yann Ylavic]

*) APR's configure script uses AC_TRY_RUN to detect whether the return type

of strerror_r is int. When cross-compiling this defaults to no.

This commit adds an AC_CACHE_CHECK so users who cross-compile APR may influence the outcome with a configure variable. [Sebastian Kemper <sebastian_ml gmx net>]

*) Add a cache check with which users who cross-compile APR

can influence the outcome of the /dev/zero test by setting the variable ac_cv_mmapdev_zero=yes [Sebastian Kemper <sebastian_ml gmx net>]

*) Trick autoconf into printing the correct default prefix in the help.

[Stefan Fritsch]

*) Don't try to use PROC_PTHREAD by default when cross compiling.

[Yann Ylavic]

*) Add the ability to cross compile APR. [Graham Leggett]

*) While cross-compiling, the tools/gen_test_char could not

be executed at build time, use AX_PROG_CC_FOR_BUILD to build native tools/gen_test_char

Support explicit libtool by variable assigning before buildcheck.sh, it is helpful for cross-compiling (such as libtool=aarch64-linux-libtool) [Hongxu Jia <hongxu.jia windriver.com>]

*) Avoid an overflow on 32 bit platforms. [René Hjortskov Nielsen

<r... hjortskov.dk>]

*) Use AC_CHECK_SIZEOF, so as to support cross compiling. PR 56053.

[Mike Frysinger <vapier gentoo.org>]

*) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov]

*) apr_pools: Fix pool debugging output so that creation events are

always emitted before allocation events and subpool destruction events are emitted on pool clear/destroy for proper accounting. [Brane Čibej]

*) apr_socket_listen: Allow larger listen backlog values on Windows 8+.

[Evgeny Kotkov <evgeny.kotkov visualsvn.com>]

*) Fixed: apr_get_oslevel() was returning APR_WIN_XP on Windows 10

*) Fix attempt to free invalid memory on exit when apr_app is used

on Windows. [Ivan Zhakov]

*) Fix double free on exit when apr_app is used on Windows. [Ivan Zhakov]

*) Fix a regression in apr_stat() for root path on Windows. [Ivan Zhakov]

[Tim Tassonis]

Fixed in commit 134d869f9c