From 3dbb84089a0e486fb9f3efa1edfdafab5eada6af Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 16 2023 10:21:13 +0000 Subject: import apr-util-1.6.1-6.el8_8.1 --- diff --git a/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch b/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch new file mode 100644 index 0000000..44e87e1 --- /dev/null +++ b/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch @@ -0,0 +1,127 @@ +diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c +index 1eed153..2803106 100644 +--- a/encoding/apr_base64.c ++++ b/encoding/apr_base64.c +@@ -20,11 +20,20 @@ + * ugly 'len' functions, which is quite a nasty cost. + */ + ++#undef NDEBUG /* always abort() on assert()ion failure */ ++#include ++ + #include "apr_base64.h" + #if APR_CHARSET_EBCDIC + #include "apr_xlate.h" + #endif /* APR_CHARSET_EBCDIC */ + ++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */ ++#define APR_BASE64_ENCODE_MAX 1610612733 ++ ++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */ ++#define APR_BASE64_DECODE_MAX 2863311524u ++ + /* aaaack but it's fast and const should make it shared text page. */ + static const unsigned char pr2six[256] = + { +@@ -109,7 +118,6 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii, + + APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded) + { +- int nbytesdecoded; + register const unsigned char *bufin; + register apr_size_t nprbytes; + +@@ -117,16 +125,16 @@ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded) + while (pr2six[*(bufin++)] <= 63); + + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); + +- return nbytesdecoded + 1; ++ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u); + } + + APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded) + { + #if APR_CHARSET_EBCDIC + apr_size_t inbytes_left, outbytes_left; +-#endif /* APR_CHARSET_EBCDIC */ ++#endif /* APR_CHARSET_EBCDIC */ + int len; + + len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded); +@@ -153,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + bufin = (const unsigned char *) bufcoded; + while (pr2six[*(bufin++)] <= 63); + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); ++ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u); + + bufout = (unsigned char *) bufplain; + bufin = (const unsigned char *) bufcoded; + +- while (nprbytes > 4) { ++ while (nprbytes >= 4) { + *(bufout++) = + (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); + *(bufout++) = +@@ -178,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + *(bufout++) = + (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); + } +- if (nprbytes > 3) { +- *(bufout++) = +- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); +- } + +- nbytesdecoded -= (4 - (int)nprbytes) & 3; +- return nbytesdecoded; ++ return nbytesdecoded - (int)((4u - nprbytes) & 3u); + } + + static const char basis_64[] = +@@ -192,6 +196,8 @@ static const char basis_64[] = + + APU_DECLARE(int) apr_base64_encode_len(int len) + { ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + return ((len + 2) / 3 * 4) + 1; + } + +@@ -203,6 +209,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F]; +@@ -227,7 +235,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + } + + *p++ = '\0'; +- return p - encoded; ++ return (unsigned int)(p - encoded); + #endif /* APR_CHARSET_EBCDIC */ + } + +@@ -240,6 +248,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(string[i] >> 2) & 0x3F]; +@@ -264,5 +274,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + } + + *p++ = '\0'; +- return (int)(p - encoded); ++ return (unsigned int)(p - encoded); + } diff --git a/SPECS/apr-util.spec b/SPECS/apr-util.spec index f3b33d7..e66ced7 100644 --- a/SPECS/apr-util.spec +++ b/SPECS/apr-util.spec @@ -16,7 +16,7 @@ Summary: Apache Portable Runtime Utility library Name: apr-util Version: 1.6.1 -Release: 6%{?dist} +Release: 6%{?dist}.1 License: ASL 2.0 Group: System Environment/Libraries URL: http://apr.apache.org/ @@ -24,6 +24,11 @@ Source0: http://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2 Patch1: apr-util-1.2.7-pkgconf.patch Patch4: apr-util-1.4.1-private.patch Patch5: apr-util-mariadb-upstream.patch + +# Security patches: +# https://bugzilla.redhat.com/show_bug.cgi?id=2169652 +Patch100: apr-util-1.6.1-CVE-2022-25147.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot BuildRequires: autoconf, apr-devel >= 1.3.0 BuildRequires: %{dbdep}, expat-devel, libuuid-devel @@ -133,6 +138,8 @@ This package provides the NSS crypto support for the apr-util. %patch4 -p1 -b .private %patch5 -p1 -b .maria +%patch100 -p1 -b .CVE-2022-25147 + %build autoheader && autoconf # A fragile autoconf test which fails if the code trips @@ -241,6 +248,10 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/*.m4 %changelog +* Tue May 09 2023 Luboš Uhliarik - 1.6.1-6.1 +- Resolves: #2196572 - CVE-2022-25147 apr-util: out-of-bounds writes + in the apr_base64 + * Mon Oct 1 2018 Joe Orton - 1.6.1-6 - Recommends: apr-util-openssl, apr-util-bdb (#1633973)