mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-17 18:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

apr: Security fix for CVE-2021-35940

Browse Source 
Source:  https://dist.apache.org
MR: 112793
Type: Security Fix
Disposition: Backport from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
ChangeID: c8247210204ffcc7d1425e3d60f077ad3dd54ebc
Description:

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the
Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue
was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed
compared to 1.6.3 and is vulnerable to the same issue.

(From OE-Core rev: 315262830bfe2bc8b2a9259541bb3a0bc83a2cdd)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2021-09-10 20:00:01 -07:00
committed by Richard Purdie
parent 6038399048
commit eb3e28fa18
2 changed files with 59 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
meta/recipes-support/apr/apr/CVE-2021-35940.patch Normal file
View File

@@ -0,0 +1,58 @@
SECURITY: CVE-2021-35940 (cve.mitre.org)
Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
was addressed in 1.6.x in 1.6.3 and later via r1807976.
The fix was merged back to 1.7.x in r1891198.
Since this was a regression in 1.7.0, a new CVE name has been assigned
to track this, CVE-2021-35940.
Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
https://svn.apache.org/viewvc?view=revision&revision=1891198
Upstream-Status: Backport
CVE: CVE-2021-35940
Signed-off-by: Armin Kuster <akuster@mvista.com>
Index: time/unix/time.c
===================================================================
--- a/time/unix/time.c (revision 1891197)
+++ b/time/unix/time.c (revision 1891198)
@@ -142,6 +142,9 @@
static const int dayoffset[12] =
{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+ return APR_EBADDATE;
+
/* shift new year to 1st March in order to make leap year calc easy */
if (xt->tm_mon < 2)
Index: time/win32/time.c
===================================================================
--- a/time/win32/time.c (revision 1891197)
+++ b/time/win32/time.c (revision 1891198)
@@ -54,6 +54,9 @@
static const int dayoffset[12] =
{0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ if (tm->wMonth < 1 || tm->wMonth > 12)
+ return APR_EBADDATE;
+
/* Note; the caller is responsible for filling in detailed tm_usec,
* tm_gmtoff and tm_isdst data when applicable.
*/
@@ -228,6 +231,9 @@
static const int dayoffset[12] =
{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+ return APR_EBADDATE;
+
/* shift new year to 1st March in order to make leap year calc easy */
if (xt->tm_mon < 2)

1
meta/recipes-support/apr/apr_1.7.0.bb
View File

@@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \
file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \
file://libtoolize_check.patch \
file://0001-Add-option-to-disable-timed-dependant-tests.patch \
file://CVE-2021-35940.patch \
"
SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"