--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package apr/1.7.0-6+deb11u1
- From: Yadd <yadd@debian.org>
- Date: Tue, 24 Aug 2021 09:25:19 +0200
- Message-id: <162978991900.2515740.14866271499071600088.reportbug@deb007.xnr.fr>
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
An out-of-bounds array read in the apr_time_exp*() functions was fixed in
the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for
this issue was not carried forward to the APR 1.7.x branch, and hence
version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same
issue.
[ Impact ]
Medium vulnerability
[ Tests ]
No change in test (test launched only during build, no autopkgtest here)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
This patch just adds some little checks (a month should not be outside
of [1-12]
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 2331e3e..355b51a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+apr (1.7.0-6+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+
+ [ Salvatore Bonaccorso ]
+ * Out-of-bounds array dereference in apr_time_exp*() functions
+ (CVE-2021-35940) (Closes: #992789)
+
+ -- Yadd <yadd@debian.org> Tue, 24 Aug 2021 09:18:26 +0200
+
apr (1.7.0-6) unstable; urgency=medium
[ John Paul Adrian Glaubitz ]
diff --git a/debian/patches/CVE-2021-35940.patch b/debian/patches/CVE-2021-35940.patch
new file mode 100644
index 0000000..6f215fc
--- /dev/null
+++ b/debian/patches/CVE-2021-35940.patch
@@ -0,0 +1,47 @@
+Description: SECURITY: CVE-2021-35940 (cve.mitre.org)
+ Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+ was addressed in 1.6.x in 1.6.3 and later via r1807976.
+ .
+ The fix was merged back to 1.7.x in r1891198.
+ .
+ Since this was a regression in 1.7.0, a new CVE name has been assigned
+ to track this, CVE-2021-35940.
+Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1891198
+Bug-Debian: https://bugs.debian.org/992789
+Forwarded: not-needed
+Last-Update: 2021-08-20
+
+--- a/time/unix/time.c
++++ b/time/unix/time.c
+@@ -142,6 +142,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
+--- a/time/win32/time.c
++++ b/time/win32/time.c
+@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t
+ static const int dayoffset[12] =
+ {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+
++ if (tm->wMonth < 1 || tm->wMonth > 12)
++ return APR_EBADDATE;
++
+ /* Note; the caller is responsible for filling in detailed tm_usec,
+ * tm_gmtoff and tm_isdst data when applicable.
+ */
+@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
diff --git a/debian/patches/series b/debian/patches/series
index 6d8be19..4003573 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ use_fcntl_locking.patch
cross.patch
python3-hashbang.patch
generic-64bit-atomics.patch
+CVE-2021-35940.patch
--- End Message ---