diff --git a/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch b/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch new file mode 100644 index 0000000..44e87e1 --- /dev/null +++ b/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch @@ -0,0 +1,127 @@ +diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c +index 1eed153..2803106 100644 +--- a/encoding/apr_base64.c ++++ b/encoding/apr_base64.c +@@ -20,11 +20,20 @@ + * ugly 'len' functions, which is quite a nasty cost. + */ + ++#undef NDEBUG /* always abort() on assert()ion failure */ ++#include ++ + #include "apr_base64.h" + #if APR_CHARSET_EBCDIC + #include "apr_xlate.h" + #endif /* APR_CHARSET_EBCDIC */ + ++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */ ++#define APR_BASE64_ENCODE_MAX 1610612733 ++ ++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */ ++#define APR_BASE64_DECODE_MAX 2863311524u ++ + /* aaaack but it's fast and const should make it shared text page. */ + static const unsigned char pr2six[256] = + { +@@ -109,7 +118,6 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii, + + APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded) + { +- int nbytesdecoded; + register const unsigned char *bufin; + register apr_size_t nprbytes; + +@@ -117,16 +125,16 @@ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded) + while (pr2six[*(bufin++)] <= 63); + + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); + +- return nbytesdecoded + 1; ++ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u); + } + + APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded) + { + #if APR_CHARSET_EBCDIC + apr_size_t inbytes_left, outbytes_left; +-#endif /* APR_CHARSET_EBCDIC */ ++#endif /* APR_CHARSET_EBCDIC */ + int len; + + len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded); +@@ -153,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + bufin = (const unsigned char *) bufcoded; + while (pr2six[*(bufin++)] <= 63); + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); ++ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u); + + bufout = (unsigned char *) bufplain; + bufin = (const unsigned char *) bufcoded; + +- while (nprbytes > 4) { ++ while (nprbytes >= 4) { + *(bufout++) = + (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); + *(bufout++) = +@@ -178,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + *(bufout++) = + (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); + } +- if (nprbytes > 3) { +- *(bufout++) = +- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); +- } + +- nbytesdecoded -= (4 - (int)nprbytes) & 3; +- return nbytesdecoded; ++ return nbytesdecoded - (int)((4u - nprbytes) & 3u); + } + + static const char basis_64[] = +@@ -192,6 +196,8 @@ static const char basis_64[] = + + APU_DECLARE(int) apr_base64_encode_len(int len) + { ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + return ((len + 2) / 3 * 4) + 1; + } + +@@ -203,6 +209,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F]; +@@ -227,7 +235,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + } + + *p++ = '\0'; +- return p - encoded; ++ return (unsigned int)(p - encoded); + #endif /* APR_CHARSET_EBCDIC */ + } + +@@ -240,6 +248,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(string[i] >> 2) & 0x3F]; +@@ -264,5 +274,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + } + + *p++ = '\0'; +- return (int)(p - encoded); ++ return (unsigned int)(p - encoded); + } diff --git a/SOURCES/apr-util-1.6.1-r1907242+.patch b/SOURCES/apr-util-1.6.1-r1907242+.patch new file mode 100644 index 0000000..b964a63 --- /dev/null +++ b/SOURCES/apr-util-1.6.1-r1907242+.patch @@ -0,0 +1,123 @@ +From 828d644c8eba8765843985d9293f033898ed0592 Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Fri, 3 Feb 2023 15:12:10 +0000 +Subject: [PATCH] * memcache/apr_memcache.c (conn_connect): Allow use of IPv6 + rather than forcing name resolution to IPv4 only. + +Submitted by: Lubos Uhliarik +Github: closes #39 + + +git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1907242 13f79535-47bb-0310-9956-ffa450edef68 +--- + memcache/apr_memcache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/memcache/apr_memcache.c b/memcache/apr_memcache.c +index 5f8135c52c..18806281a4 100644 +--- a/memcache/apr_memcache.c ++++ b/memcache/apr_memcache.c +@@ -290,9 +290,9 @@ static apr_status_t conn_connect(apr_memcache_conn_t *conn) + apr_status_t rv = APR_SUCCESS; + apr_sockaddr_t *sa; + #if APR_HAVE_SOCKADDR_UN +- apr_int32_t family = conn->ms->host[0] != '/' ? APR_INET : APR_UNIX; ++ apr_int32_t family = conn->ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX; + #else +- apr_int32_t family = APR_INET; ++ apr_int32_t family = APR_UNSPEC; + #endif + + rv = apr_sockaddr_info_get(&sa, conn->ms->host, family, conn->ms->port, 0, conn->p); +@@ -328,9 +328,9 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool) + apr_pool_t *tp; + apr_memcache_server_t *ms = params; + #if APR_HAVE_SOCKADDR_UN +- apr_int32_t family = ms->host[0] != '/' ? APR_INET : APR_UNIX; ++ apr_int32_t family = ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX; + #else +- apr_int32_t family = APR_INET; ++ apr_int32_t family = APR_UNSPEC; + #endif + + rv = apr_pool_create(&np, pool); + +From 59341af138dd2c6fe9444ee9c865b769c0053bdd Mon Sep 17 00:00:00 2001 +From: Joe Orton +Date: Tue, 27 Jun 2023 14:06:09 +0000 +Subject: [PATCH] * memcache/apr_memcache.c (conn_connect, mc_conn_construct): + Fix regression in IPv4 handling in r1907242. Cycle through the address + list handling v4/v6 addresses correctly. + +Submitted by: Lubos Uhliarik +Github: closes #44 + + +git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1910629 13f79535-47bb-0310-9956-ffa450edef68 +--- + memcache/apr_memcache.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/memcache/apr_memcache.c b/memcache/apr_memcache.c +index 41b93a0a33..09779d91b5 100644 +--- a/memcache/apr_memcache.c ++++ b/memcache/apr_memcache.c +@@ -300,14 +300,26 @@ static apr_status_t conn_connect(apr_memcache_conn_t *conn) + return rv; + } + +- rv = apr_socket_timeout_set(conn->sock, 1 * APR_USEC_PER_SEC); +- if (rv != APR_SUCCESS) { +- return rv; ++ /* Cycle through address until a connect() succeeds. */ ++ for (; sa; sa = sa->next) { ++ rv = apr_socket_create(&conn->sock, sa->family, SOCK_STREAM, 0, conn->p); ++ if (rv == APR_SUCCESS) { ++ rv = apr_socket_timeout_set(conn->sock, 1 * APR_USEC_PER_SEC); ++ if (rv != APR_SUCCESS) { ++ return rv; ++ } ++ ++ rv = apr_socket_connect(conn->sock, sa); ++ if (rv == APR_SUCCESS) { ++ break; ++ } ++ ++ apr_socket_close(conn->sock); ++ } + } + +- rv = apr_socket_connect(conn->sock, sa); +- if (rv != APR_SUCCESS) { +- return rv; ++ if (!sa) { ++ return APR_ECONNREFUSED; + } + + rv = apr_socket_timeout_set(conn->sock, -1); +@@ -327,11 +339,6 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool) + apr_pool_t *np; + apr_pool_t *tp; + apr_memcache_server_t *ms = params; +-#if APR_HAVE_SOCKADDR_UN +- apr_int32_t family = ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX; +-#else +- apr_int32_t family = APR_UNSPEC; +-#endif + + rv = apr_pool_create(&np, pool); + if (rv != APR_SUCCESS) { +@@ -349,13 +356,6 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool) + conn->p = np; + conn->tp = tp; + +- rv = apr_socket_create(&conn->sock, family, SOCK_STREAM, 0, np); +- +- if (rv != APR_SUCCESS) { +- apr_pool_destroy(np); +- return rv; +- } +- + conn->buffer = apr_palloc(conn->p, BUFFER_SIZE + 1); + conn->blen = 0; + conn->ms = ms; diff --git a/SPECS/apr-util.spec b/SPECS/apr-util.spec index f3b33d7..9a64999 100644 --- a/SPECS/apr-util.spec +++ b/SPECS/apr-util.spec @@ -16,7 +16,7 @@ Summary: Apache Portable Runtime Utility library Name: apr-util Version: 1.6.1 -Release: 6%{?dist} +Release: 9%{?dist} License: ASL 2.0 Group: System Environment/Libraries URL: http://apr.apache.org/ @@ -24,6 +24,13 @@ Source0: http://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2 Patch1: apr-util-1.2.7-pkgconf.patch Patch4: apr-util-1.4.1-private.patch Patch5: apr-util-mariadb-upstream.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2063562 +Patch6: apr-util-1.6.1-r1907242+.patch + +# Security patches: +# https://bugzilla.redhat.com/show_bug.cgi?id=2169652 +Patch100: apr-util-1.6.1-CVE-2022-25147.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot BuildRequires: autoconf, apr-devel >= 1.3.0 BuildRequires: %{dbdep}, expat-devel, libuuid-devel @@ -132,6 +139,9 @@ This package provides the NSS crypto support for the apr-util. %patch1 -p1 -b .pkgconf %patch4 -p1 -b .private %patch5 -p1 -b .maria +%patch6 -p1 -b .r1907242 + +%patch100 -p1 -b .CVE-2022-25147 %build autoheader && autoconf @@ -241,6 +251,15 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/*.m4 %changelog +* Tue Jun 27 2023 Luboš Uhliarik - 1.6.1-9 +- Related: #2063562 - mod_auth_openidc fails with IPv6 OIDCMemCacheServers + +* Mon Jun 12 2023 Luboš Uhliarik - 1.6.1-8 +- Resolves: #2063562 - mod_auth_openidc fails with IPv6 OIDCMemCacheServers + +* Wed May 31 2023 Luboš Uhliarik - 1.6.1-7 +- Resolves: #2196573 - CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64 + * Mon Oct 1 2018 Joe Orton - 1.6.1-6 - Recommends: apr-util-openssl, apr-util-bdb (#1633973)