- security update

- added patches
  fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp)
  + apr-CVE-2021-3594.patch

OBS-URL: https://build.opensuse.org/package/show/Apache/apr?expand=0&rev=35

apr-CVE-2021-3594.patch

@@ -0,0 +1,56 @@
+--- 1.7.x/random/unix/sha2.c	2021/07/02 11:07:15	1891197
++++ 1.7.x/random/unix/sha2.c	2021/07/02 11:10:33	1891198
+@@ -425,7 +425,7 @@
+         usedspace = freespace = 0;
+ }
+ 
+-void apr__SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
++void apr__SHA256_Final(sha2_byte digest[SHA256_DIGEST_LENGTH], SHA256_CTX* context) {
+         sha2_word32     *d = (sha2_word32*)digest;
+         unsigned int    usedspace;
+ 
+@@ -496,7 +496,7 @@
+         usedspace = 0;
+ }
+ 
+-char *apr__SHA256_End(SHA256_CTX* context, char buffer[]) {
++char *apr__SHA256_End(SHA256_CTX* context, char buffer[SHA256_DIGEST_STRING_LENGTH]) {
+         sha2_byte       digest[SHA256_DIGEST_LENGTH], *d = digest;
+         int             i;
+ 
+--- 1.7.x/time/unix/time.c	2021/07/02 11:07:15	1891197
++++ 1.7.x/time/unix/time.c	2021/07/02 11:10:33	1891198
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
+--- 1.7.x/time/win32/time.c	2021/07/02 11:07:15	1891197
++++ 1.7.x/time/win32/time.c	2021/07/02 11:10:33	1891198
+@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
++    if (tm->wMonth < 1 || tm->wMonth > 12)
++        return APR_EBADDATE;
++
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
+
+

apr.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Sep  2 07:15:59 UTC 2021 - pgajdos@suse.com
+
+- security update
+- added patches
+  fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp)
+  + apr-CVE-2021-3594.patch
+
 -------------------------------------------------------------------
 Sat Aug  3 14:11:24 UTC 2019 - Manu Maier <mmanu84@outlook.de>
 

apr.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apr
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,8 @@ Patch5:         apr-visibility.patch
 Patch9:         apr-proc-mutex-map-anon.patch
 # prevent random failures of the testsuite (sendfile test)
 Patch10:        apr-test-sendfile-timeout.patch
+# CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to information disclosure (udp)
+Patch11:        apr-CVE-2021-3594.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  libtool
@@ -86,6 +88,7 @@ that want to make use of APR.
 %patch5 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 # Do not put date to doxy content
 sed -i \