Accepting request 1062950 from home:AndreasStieger:branches:Apache

apr 1.7.2 CVE-2022-24963 boo#1207870 OBS-URL: https://build.opensuse.org/request/show/1062950 OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=41
2023-02-03 09:06:24 +00:00 · 2023-02-03 09:06:24 +00:00 · 36362ecaf9
commit 36362ecaf9
parent d960b1d968
8 changed files with 6100 additions and 1463 deletions
--- a/apr-1.7.0.tar.bz2
+++ b/apr-1.7.0.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e2e148f0b2e99b8e5c6caa09f6d4fb4dd3e83f744aa72a952f94f5a14436f7ea
-size 872238
--- a/apr-1.7.0.tar.bz2.asc
+++ b/apr-1.7.0.tar.bz2.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJcolDOAAoJEB4fkJkRx4c1PPwP/Az3wofxvzRGg9ojAjhLOJbU
-0Zb3NnbEkLWgl9UeTZLgyl5EVWm8Iajje8V/JLSgHKiYebLh39bdvCF/A/vl+iaW
-Xcw00yAfieCa45Io5PqBlLnnqe1ELbfG2Hx+lGaCOwXpZyPsA40WO+ZUJyqXCQHf
-D2IE1rtVP6auCvhmGLmtkGTlcyTltJWm0mYEkmWR/nM+n5YvOFlSUOcAMbnloE67
-VOcy0pH/Vjga7pfsRRN/N76EkZDNfEfRvlZKBFHguWNSig20scvKo1pjjEOpjHwC
-7DdtZNWKCtw3s5nMXd8+qhAg1paqoRaMKOw71y8W6yXgq1D2KyhywZGkU5k1H3xO
-QdJwyQjsGyMnk2GOfSikmKPY2PaGAAxXArnQRvsdcN4IfhVYq+NgUOZB/QSVCC4f
-81/y1mK7yxDuK4fIRnqpICO+wQfXpevTc7kBpX2u2Sq3Jk8n5cNKDXJehfo9z09J
-p5XcVyJqyIEpXhY2UEbJfMIiDQaVJR48CGPBmbhaHcF8sx5EIk6FVlcJR3805BPf
-iUy+jWOm7hYxACPPI804xAUdhFAMmKzA6PqCimUQ+OVmumQ3E5UsYbugXnqxDJxO
-fiAjOs6pqbrVdA7DIIBpx/Titjq5Ikrpb+7XXKTp5oC1lIi3oueg+cH+5dGF7amw
-uzHvhRtZd4Nvh5lJ6ffY
-=LV+K
-----END PGP SIGNATURE-----
--- a/apr-1.7.2.tar.bz2
+++ b/apr-1.7.2.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:75e77cc86776c030c0a5c408dfbd0bf2a0b75eed5351e52d5439fa1e5509a43e
+size 890218
--- a/apr-1.7.2.tar.bz2.asc
+++ b/apr-1.7.2.tar.bz2.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmPZgJ4ACgkQgngd5G1Z
+VPovWA//dYWoZVuFcyjoDAnmp61SrjU0c9hIEPtihGw8oOOXsONdxM1JDT3ax+NO
+xl1tW+fFYEae+5SeDhRhjOGazRA5n+LILhEQIBrAZOvnXXWnuEC9UKaZzL+nHMvi
+ysCzICHKZiUne9P6B5oWrfXGZIW47wJ2zUKd9xS6wmB1NLEcCuvt6Yt1pP9ZkChW
+cFF54W9xZQaTZCSCUpJnYUr55W98vNEaxNVjxzgzZFeXN+A1ARKNSLtHugdVUEUo
+i4O8nECv8N0FkPP3Wa3DnNYTIc8s0g+E1bdirzSA2mJhmVWnALTcn++xHVDI2hYq
+TnToXK9loRl2wf/yedKQ+nUVfjnDIP2XIMnxr7K+rSDo5v/Sc4g1CJtePcfxFP9H
+fk+BGcpffhDcQCwvSYVeBxyzrqN4AGUt8iCmTcpXirm4ksKbIwj1eGv3p//qnjbe
+Ka26JObox/8jrkobqHDHIQW/yAsrD7ravft7QxC8SLGwRxp6Mb2itKHD8l58ScjA
+Ot3SzNkhzUz/cmaxCJDiya6460mYrHG5DpXskX6ByRJzhZzNLjZUypKTt/04aQJ+
+bq6bOFmWzTqhNS9gsf106puc1mAZkq0ja1Dd5GBWF6ksRB0StuhF83MedQAfpa+G
+Ha0bp6h1vX3N3HWxuJuw42c/dDcgjCy5Qqe9KMiIgSCfdyV9UZw=
+=9loG
+-----END PGP SIGNATURE-----
--- a/apr-CVE-2021-35940.patch
+++ b/apr-CVE-2021-35940.patch
@ -1,14 +0,0 @@
-
--- 1.7.x/time/unix/time.c	2021/07/02 11:07:15	1891197
-+++ 1.7.x/time/unix/time.c	2021/07/02 11:10:33	1891198
-@@ -142,6 +142,9 @@
-     static const int dayoffset[12] =
-     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
- 
-+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
-+        return APR_EBADDATE;
-+
-     /* shift new year to 1st March in order to make leap year calc easy */
- 
-     if (xt->tm_mon < 2)
-
--- a/apr.changes
+++ b/apr.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Thu Feb  2 19:55:07 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 1.7.2:
+  * CVE-2022-24963: Integer Overflow or Wraparound vulnerability in
+    apr_encode functions allows an attacker to write beyond bounds 
+    of a buffer (boo#1207870)
+  * Add error handling for lseek() failures in apr_file_write() and
+    apr_file_writev()
+  * Avoid an overflow on 32 bit platforms
+  * Don't silently set APR_FOPEN_NOCLEANUP for apr_file_mktemp()
+    created file to avoid a fd and inode leak when/if later passed
+    to apr_file_setaside().
+  * build system fixes and fixes for other platforms
+- drop apr-CVE-2021-35940.patch included upstream (CVE-2021-35940)
+
 -------------------------------------------------------------------
 Sat Mar 26 10:43:23 UTC 2022 - Stephan Kulow <coolo@suse.com>

--- a/apr.keyring
+++ b/apr.keyring
--- a/apr.spec
+++ b/apr.spec
@ -1,7 +1,7 @@
 #
 # spec file for package apr
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
 %define         installbuilddir %{_libdir}/apr-%{aprver}/build
 %define         includedir %{_includedir}/apr-%{aprver}
 Name:           apr
-Version:        1.7.0
+Version:        1.7.2
 Release:        0
 Summary:        Apache Portable Runtime (APR) Library
 License:        Apache-2.0
@ -29,13 +29,11 @@ Group:          Development/Libraries/C and C++
 URL:            https://apr.apache.org/
 Source0:        https://www.apache.org/dist/apr/apr-%{version}.tar.bz2
 Source1:        https://www.apache.org/dist/apr/apr-%{version}.tar.bz2.asc
-Source2:        %{name}.keyring
+Source2:        https://downloads.apache.org/apr/KEYS#/%{name}.keyring
 Patch5:         apr-visibility.patch
 Patch9:         apr-proc-mutex-map-anon.patch
 # prevent random failures of the testsuite (sendfile test)
 Patch10:        apr-test-sendfile-timeout.patch
-# CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp)
-Patch11:        apr-CVE-2021-35940.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  libuuid-devel
@ -43,7 +41,6 @@ BuildRequires:  lksctp-tools-devel
 # for the testsuite
 BuildRequires:  netcfg
 BuildRequires:  pkgconfig
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
 APR is Apache's Portable Runtime Library, designed to be a support
@ -83,11 +80,7 @@ This subpackage contains header files for developing applications
 that want to make use of APR.

 %prep
-%setup -q
-%patch5 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
+%autosetup -p1

 # Do not put date to doxy content
 sed -i \
@ -106,11 +99,11 @@ sed -i \
 	--disable-static \
 	--enable-posix-shm \
 	--with-sendfile
-make %{?_smp_mflags} CFLAGS="%{optflags} -DREADDIR_IS_THREAD_SAFE -fvisibility=hidden -fPIC"
-make dox %{?_smp_mflags}
+%make_build CFLAGS="%{optflags} -DREADDIR_IS_THREAD_SAFE -fvisibility=hidden -fPIC"
+%make_build dox

 %install
-make DESTDIR=$RPM_BUILD_ROOT install %{?_smp_mflags}
+%make_install
 # Move docs to more convenient location
 mv docs/dox/html html
 # Unpackaged files:
@ -128,9 +121,9 @@ sed -ri '/^Libs/{s,-l(uuid|crypt) ,,g}' \
 %check
 %if ! 0%{?qemu_user_space_build}
 %ifarch ppc ppc64 ppc64le
-make check -j1 || { echo "ignore PowerPC transient test failures"; exit 0; }
+%make_build check -j1 || { echo "ignore PowerPC transient test failures"; exit 0; }
 %else
-make check -j1
+%make_build check -j1
 %endif
 %endif

@ -138,12 +131,11 @@ make check -j1
 %postun -n %{libname} -p /sbin/ldconfig

 %files -n %{libname}
-%defattr(-,root,root,-)
 %doc CHANGES
 %if 0%{?suse_version} > 1315
 %license LICENSE
 %else
-%doc LICENSE
+%license LICENSE
 %endif
 %doc NOTICE
 %{_libdir}/libapr-%{aprver}.so.*
@ -151,7 +143,6 @@ make check -j1
 %{_libdir}/libapr-%{aprver}.so

 %files devel
-%defattr(-,root,root,-)
 %doc docs/APRDesign.html
 %doc docs/canonical_filenames.html
 %doc docs/incomplete_types