From c9941b4ac1df3058f3b89dadc79809f95798d197 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 28 2017 21:17:02 +0000 Subject: import apr-1.4.8-3.el7_4.1 --- diff --git a/SOURCES/apr-1.4.8-CVE-2017-12613.patch b/SOURCES/apr-1.4.8-CVE-2017-12613.patch new file mode 100644 index 0000000..4436f64 --- /dev/null +++ b/SOURCES/apr-1.4.8-CVE-2017-12613.patch @@ -0,0 +1,12 @@ +--- a/time/unix/time.c 2017/09/10 22:11:37 1807974 ++++ b/time/unix/time.c 2017/09/10 22:30:14 1807975 +@@ -142,6 +142,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) diff --git a/SPECS/apr.spec b/SPECS/apr.spec index 20cc20e..e4380ee 100644 --- a/SPECS/apr.spec +++ b/SPECS/apr.spec @@ -6,7 +6,7 @@ Summary: Apache Portable Runtime library Name: apr Version: 1.4.8 -Release: 3%{?dist} +Release: 3%{?dist}.1 # ASL 2.0: everything # ISC: network_io/apr-1.4.6/network_io/unix/inet_?to?.c # BSD with advertising: strings/apr_snprintf.c, strings/apr_fnmatch.c, @@ -21,6 +21,9 @@ Source1: apr-wrapper.h Patch2: apr-1.2.2-locktimeout.patch Patch3: apr-1.2.2-libdir.patch Patch4: apr-1.2.7-pkgconf.patch + +#Security patches +Patch10: apr-1.4.8-CVE-2017-12613.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot BuildRequires: autoconf, libtool, libuuid-devel, python # To enable SCTP support @@ -50,6 +53,9 @@ C data structures and routines. %patch3 -p1 -b .libdir %patch4 -p1 -b .pkgconf +# https://bugzilla.redhat.com/show_bug.cgi?id=1506523 +%patch10 -p1 -b .CVE-2017-12613 + %build # regenerate configure script etc. ./buildconf @@ -129,6 +135,10 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/*.m4 %changelog +* Mon Oct 30 2017 Luboš Uhliarik - 1.4.8-3.1 +- Resolves: #1507349 - CVE-2017-12613 apr: Out-of-bounds array deref + in apr_time_exp*() functions + * Fri Jan 24 2014 Daniel Mach - 1.4.8-3 - Mass rebuild 2014-01-24