From 8510cef9af1e259cc3a83b2153cfcbb543bf927cba47637243e91288574561ba Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 17 Oct 2019 13:42:57 +0000 Subject: [PATCH 1/4] Accepting request 739587 from home:RBrownSUSE:branches:Apache Remove obsolete Groups tag (fate#326485) OBS-URL: https://build.opensuse.org/request/show/739587 OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=33 --- apr.changes | 5 +++++ apr.spec | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apr.changes b/apr.changes index 299c19c..861db76 100644 --- a/apr.changes +++ b/apr.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Oct 17 13:28:50 UTC 2019 - Richard Brown + +- Remove obsolete Groups tag (fate#326485) + ------------------------------------------------------------------- Sat Aug 3 14:11:24 UTC 2019 - Manu Maier diff --git a/apr.spec b/apr.spec index 013c251..dc52cf9 100644 --- a/apr.spec +++ b/apr.spec @@ -25,7 +25,6 @@ Version: 1.7.0 Release: 0 Summary: Apache Portable Runtime (APR) Library License: Apache-2.0 -Group: Development/Libraries/C and C++ URL: https://apr.apache.org/ Source0: https://www.apache.org/dist/apr/apr-%{version}.tar.bz2 Source1: https://www.apache.org/dist/apr/apr-%{version}.tar.bz2.asc @@ -51,7 +50,6 @@ underlying platform-specific implementations. %package -n %{libname} Summary: Apache Portable Runtime (APR) Library -Group: System/Libraries %description -n %{libname} APR is Apache's Portable Runtime Library, designed to be a support @@ -68,7 +66,6 @@ ID services. %package devel Summary: Development files for the Apache Portable Runtime (APR) library -Group: Development/Libraries/C and C++ Requires: %{libname} = %{version} Provides: %{libname}-devel = %{version} Obsoletes: %{libname}-devel < %{version}-%{release} From 825d73e9d58f96526ffa0d0e20f80fdc72d63ed6cc5bf2535e825e506bdd510b Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Fri, 18 Oct 2019 09:16:50 +0000 Subject: [PATCH 2/4] Accepting request 741024 from openSUSE:Factory revert OBS-URL: https://build.opensuse.org/request/show/741024 OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=34 --- apr.changes | 5 ----- apr.spec | 3 +++ 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/apr.changes b/apr.changes index 861db76..299c19c 100644 --- a/apr.changes +++ b/apr.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Thu Oct 17 13:28:50 UTC 2019 - Richard Brown - -- Remove obsolete Groups tag (fate#326485) - ------------------------------------------------------------------- Sat Aug 3 14:11:24 UTC 2019 - Manu Maier diff --git a/apr.spec b/apr.spec index dc52cf9..013c251 100644 --- a/apr.spec +++ b/apr.spec @@ -25,6 +25,7 @@ Version: 1.7.0 Release: 0 Summary: Apache Portable Runtime (APR) Library License: Apache-2.0 +Group: Development/Libraries/C and C++ URL: https://apr.apache.org/ Source0: https://www.apache.org/dist/apr/apr-%{version}.tar.bz2 Source1: https://www.apache.org/dist/apr/apr-%{version}.tar.bz2.asc @@ -50,6 +51,7 @@ underlying platform-specific implementations. %package -n %{libname} Summary: Apache Portable Runtime (APR) Library +Group: System/Libraries %description -n %{libname} APR is Apache's Portable Runtime Library, designed to be a support @@ -66,6 +68,7 @@ ID services. %package devel Summary: Development files for the Apache Portable Runtime (APR) library +Group: Development/Libraries/C and C++ Requires: %{libname} = %{version} Provides: %{libname}-devel = %{version} Obsoletes: %{libname}-devel < %{version}-%{release} From bc6a690024987b5f45d30daa9257d848e6a497130a008a73e6f600a061bcc22e Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 2 Sep 2021 07:16:12 +0000 Subject: [PATCH 3/4] - security update - added patches fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp) + apr-CVE-2021-3594.patch OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=35 --- apr-CVE-2021-3594.patch | 56 +++++++++++++++++++++++++++++++++++++++++ apr.changes | 8 ++++++ apr.spec | 5 +++- 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 apr-CVE-2021-3594.patch diff --git a/apr-CVE-2021-3594.patch b/apr-CVE-2021-3594.patch new file mode 100644 index 0000000..a7d6c81 --- /dev/null +++ b/apr-CVE-2021-3594.patch @@ -0,0 +1,56 @@ +--- 1.7.x/random/unix/sha2.c 2021/07/02 11:07:15 1891197 ++++ 1.7.x/random/unix/sha2.c 2021/07/02 11:10:33 1891198 +@@ -425,7 +425,7 @@ + usedspace = freespace = 0; + } + +-void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { ++void apr__SHA256_Final(sha2_byte digest[SHA256_DIGEST_LENGTH], SHA256_CTX* context) { + sha2_word32 *d = (sha2_word32*)digest; + unsigned int usedspace; + +@@ -496,7 +496,7 @@ + usedspace = 0; + } + +-char *apr__SHA256_End(SHA256_CTX* context, char buffer[]) { ++char *apr__SHA256_End(SHA256_CTX* context, char buffer[SHA256_DIGEST_STRING_LENGTH]) { + sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; + int i; + +--- 1.7.x/time/unix/time.c 2021/07/02 11:07:15 1891197 ++++ 1.7.x/time/unix/time.c 2021/07/02 11:10:33 1891198 +@@ -142,6 +142,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) +--- 1.7.x/time/win32/time.c 2021/07/02 11:07:15 1891197 ++++ 1.7.x/time/win32/time.c 2021/07/02 11:10:33 1891198 +@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t + static const int dayoffset[12] = + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + ++ if (tm->wMonth < 1 || tm->wMonth > 12) ++ return APR_EBADDATE; ++ + /* Note; the caller is responsible for filling in detailed tm_usec, + * tm_gmtoff and tm_isdst data when applicable. + */ +@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) + + diff --git a/apr.changes b/apr.changes index 299c19c..8234edc 100644 --- a/apr.changes +++ b/apr.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 2 07:15:59 UTC 2021 - pgajdos@suse.com + +- security update +- added patches + fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp) + + apr-CVE-2021-3594.patch + ------------------------------------------------------------------- Sat Aug 3 14:11:24 UTC 2019 - Manu Maier diff --git a/apr.spec b/apr.spec index 013c251..c0885ef 100644 --- a/apr.spec +++ b/apr.spec @@ -1,7 +1,7 @@ # # spec file for package apr # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,8 @@ Patch5: apr-visibility.patch Patch9: apr-proc-mutex-map-anon.patch # prevent random failures of the testsuite (sendfile test) Patch10: apr-test-sendfile-timeout.patch +# CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp) +Patch11: apr-CVE-2021-3594.patch BuildRequires: doxygen BuildRequires: fdupes BuildRequires: libtool @@ -86,6 +88,7 @@ that want to make use of APR. %patch5 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Do not put date to doxy content sed -i \ From 0b66c702857b81fcacbf551c465e609f4222189be3ec6e52700db13bd2dbfcf0 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Thu, 2 Sep 2021 07:21:40 +0000 Subject: [PATCH 4/4] OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=36 --- apr-CVE-2021-3594.patch | 44 +---------------------------------------- 1 file changed, 1 insertion(+), 43 deletions(-) diff --git a/apr-CVE-2021-3594.patch b/apr-CVE-2021-3594.patch index a7d6c81..79577f4 100644 --- a/apr-CVE-2021-3594.patch +++ b/apr-CVE-2021-3594.patch @@ -1,23 +1,4 @@ ---- 1.7.x/random/unix/sha2.c 2021/07/02 11:07:15 1891197 -+++ 1.7.x/random/unix/sha2.c 2021/07/02 11:10:33 1891198 -@@ -425,7 +425,7 @@ - usedspace = freespace = 0; - } - --void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { -+void apr__SHA256_Final(sha2_byte digest[SHA256_DIGEST_LENGTH], SHA256_CTX* context) { - sha2_word32 *d = (sha2_word32*)digest; - unsigned int usedspace; - -@@ -496,7 +496,7 @@ - usedspace = 0; - } - --char *apr__SHA256_End(SHA256_CTX* context, char buffer[]) { -+char *apr__SHA256_End(SHA256_CTX* context, char buffer[SHA256_DIGEST_STRING_LENGTH]) { - sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; - int i; - + --- 1.7.x/time/unix/time.c 2021/07/02 11:07:15 1891197 +++ 1.7.x/time/unix/time.c 2021/07/02 11:10:33 1891198 @@ -142,6 +142,9 @@ @@ -30,27 +11,4 @@ /* shift new year to 1st March in order to make leap year calc easy */ if (xt->tm_mon < 2) ---- 1.7.x/time/win32/time.c 2021/07/02 11:07:15 1891197 -+++ 1.7.x/time/win32/time.c 2021/07/02 11:10:33 1891198 -@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t - static const int dayoffset[12] = - {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; - -+ if (tm->wMonth < 1 || tm->wMonth > 12) -+ return APR_EBADDATE; -+ - /* Note; the caller is responsible for filling in detailed tm_usec, - * tm_gmtoff and tm_isdst data when applicable. - */ -@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g - static const int dayoffset[12] = - {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; - -+ if (xt->tm_mon < 0 || xt->tm_mon >= 12) -+ return APR_EBADDATE; -+ - /* shift new year to 1st March in order to make leap year calc easy */ - - if (xt->tm_mon < 2) -