3 changed files with 304 additions and 60 deletions
--- a/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch
+++ b/SOURCES/apr-util-1.6.1-CVE-2022-25147.patch
@ -0,0 +1,127 @@
+diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
+index 1eed153..2803106 100644
+--- a/encoding/apr_base64.c
+++ b/encoding/apr_base64.c
+@@ -20,11 +20,20 @@
+  * ugly 'len' functions, which is quite a nasty cost.
+  */
+ 
+#undef NDEBUG /* always abort() on assert()ion failure */
+#include <assert.h>
+
+ #include "apr_base64.h"
+ #if APR_CHARSET_EBCDIC
+ #include "apr_xlate.h"
+ #endif				/* APR_CHARSET_EBCDIC */
+ 
+/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
+#define APR_BASE64_ENCODE_MAX 1610612733
+
+/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
+#define APR_BASE64_DECODE_MAX 2863311524u
+
+ /* aaaack but it's fast and const should make it shared text page. */
+ static const unsigned char pr2six[256] =
+ {
+@@ -109,7 +118,6 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
+ 
+ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+ {
+-    int nbytesdecoded;
+     register const unsigned char *bufin;
+     register apr_size_t nprbytes;
+ 
+@@ -117,16 +125,16 @@ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+     while (pr2six[*(bufin++)] <= 63);
+ 
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+    assert(nprbytes <= APR_BASE64_DECODE_MAX);
+ 
+-    return nbytesdecoded + 1;
+    return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
+ }
+ 
+ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
+ {
+ #if APR_CHARSET_EBCDIC
+     apr_size_t inbytes_left, outbytes_left;
+-#endif				/* APR_CHARSET_EBCDIC */
+#endif	/* APR_CHARSET_EBCDIC */
+     int len;
+     
+     len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
+@@ -153,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+     bufin = (const unsigned char *) bufcoded;
+     while (pr2six[*(bufin++)] <= 63);
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
+    assert(nprbytes <= APR_BASE64_DECODE_MAX);
+    nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
+ 
+     bufout = (unsigned char *) bufplain;
+     bufin = (const unsigned char *) bufcoded;
+ 
+-    while (nprbytes > 4) {
+    while (nprbytes >= 4) {
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
+ 	*(bufout++) =
+@@ -178,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
+     }
+-    if (nprbytes > 3) {
+-	*(bufout++) =
+-	    (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
+-    }
+ 
+-    nbytesdecoded -= (4 - (int)nprbytes) & 3;
+-    return nbytesdecoded;
+    return nbytesdecoded - (int)((4u - nprbytes) & 3u);
+ }
+ 
+ static const char basis_64[] =
+@@ -192,6 +196,8 @@ static const char basis_64[] =
+ 
+ APU_DECLARE(int) apr_base64_encode_len(int len)
+ {
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
+     return ((len + 2) / 3 * 4) + 1;
+ }
+ 
+@@ -203,6 +209,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     int i;
+     char *p;
+ 
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
+@@ -227,7 +235,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     }
+ 
+     *p++ = '\0';
+-    return p - encoded;
+    return (unsigned int)(p - encoded);
+ #endif				/* APR_CHARSET_EBCDIC */
+ }
+ 
+@@ -240,6 +248,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     int i;
+     char *p;
+ 
+    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
+
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(string[i] >> 2) & 0x3F];
+@@ -264,5 +274,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     }
+ 
+     *p++ = '\0';
+-    return (int)(p - encoded);
+    return (unsigned int)(p - encoded);
+ }
--- a/SOURCES/apr-util-1.6.1-r1907242+.patch
+++ b/SOURCES/apr-util-1.6.1-r1907242+.patch
@ -0,0 +1,123 @@
+From 828d644c8eba8765843985d9293f033898ed0592 Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@apache.org>
+Date: Fri, 3 Feb 2023 15:12:10 +0000
+Subject: [PATCH] * memcache/apr_memcache.c (conn_connect): Allow use of IPv6  
+ rather than forcing name resolution to IPv4 only.
+
+Submitted by: Lubos Uhliarik <luhliari redhat.com>
+Github: closes #39
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1907242 13f79535-47bb-0310-9956-ffa450edef68
+---
+ memcache/apr_memcache.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/memcache/apr_memcache.c b/memcache/apr_memcache.c
+index 5f8135c52c..18806281a4 100644
+--- a/memcache/apr_memcache.c
+++ b/memcache/apr_memcache.c
+@@ -290,9 +290,9 @@ static apr_status_t conn_connect(apr_memcache_conn_t *conn)
+     apr_status_t rv = APR_SUCCESS;
+     apr_sockaddr_t *sa;
+ #if APR_HAVE_SOCKADDR_UN
+-    apr_int32_t family = conn->ms->host[0] != '/' ? APR_INET : APR_UNIX;
+    apr_int32_t family = conn->ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX;
+ #else
+-    apr_int32_t family = APR_INET;
+    apr_int32_t family = APR_UNSPEC;
+ #endif
+ 
+     rv = apr_sockaddr_info_get(&sa, conn->ms->host, family, conn->ms->port, 0, conn->p);
+@@ -328,9 +328,9 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool)
+     apr_pool_t *tp;
+     apr_memcache_server_t *ms = params;
+ #if APR_HAVE_SOCKADDR_UN
+-    apr_int32_t family = ms->host[0] != '/' ? APR_INET : APR_UNIX;
+    apr_int32_t family = ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX;
+ #else
+-    apr_int32_t family = APR_INET;
+    apr_int32_t family = APR_UNSPEC;
+ #endif
+ 
+     rv = apr_pool_create(&np, pool);
+
+From 59341af138dd2c6fe9444ee9c865b769c0053bdd Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@apache.org>
+Date: Tue, 27 Jun 2023 14:06:09 +0000
+Subject: [PATCH] * memcache/apr_memcache.c (conn_connect, mc_conn_construct):
+ Fix   regression in IPv4 handling in r1907242. Cycle through the address  
+ list handling v4/v6 addresses correctly.
+
+Submitted by: Lubos Uhliarik <luhliari redhat.com>
+Github: closes #44
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1910629 13f79535-47bb-0310-9956-ffa450edef68
+---
+ memcache/apr_memcache.c | 36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/memcache/apr_memcache.c b/memcache/apr_memcache.c
+index 41b93a0a33..09779d91b5 100644
+--- a/memcache/apr_memcache.c
+++ b/memcache/apr_memcache.c
+@@ -300,14 +300,26 @@ static apr_status_t conn_connect(apr_memcache_conn_t *conn)
+         return rv;
+     }
+ 
+-    rv = apr_socket_timeout_set(conn->sock, 1 * APR_USEC_PER_SEC);
+-    if (rv != APR_SUCCESS) {
+-        return rv;
+    /* Cycle through address until a connect() succeeds. */
+    for (; sa; sa = sa->next) {
+        rv = apr_socket_create(&conn->sock, sa->family, SOCK_STREAM, 0, conn->p);
+        if (rv == APR_SUCCESS) {
+            rv = apr_socket_timeout_set(conn->sock, 1 * APR_USEC_PER_SEC);
+            if (rv != APR_SUCCESS) {
+                return rv;
+            }
+
+            rv = apr_socket_connect(conn->sock, sa);
+            if (rv == APR_SUCCESS) {
+                break;
+            }
+
+            apr_socket_close(conn->sock);
+        }
+     }
+ 
+-    rv = apr_socket_connect(conn->sock, sa);
+-    if (rv != APR_SUCCESS) {
+-        return rv;
+    if (!sa) {
+        return APR_ECONNREFUSED;
+     }
+ 
+     rv = apr_socket_timeout_set(conn->sock, -1);
+@@ -327,11 +339,6 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool)
+     apr_pool_t *np;
+     apr_pool_t *tp;
+     apr_memcache_server_t *ms = params;
+-#if APR_HAVE_SOCKADDR_UN
+-    apr_int32_t family = ms->host[0] != '/' ? APR_UNSPEC : APR_UNIX;
+-#else
+-    apr_int32_t family = APR_UNSPEC;
+-#endif
+ 
+     rv = apr_pool_create(&np, pool);
+     if (rv != APR_SUCCESS) {
+@@ -349,13 +356,6 @@ mc_conn_construct(void **conn_, void *params, apr_pool_t *pool)
+     conn->p = np;
+     conn->tp = tp;
+ 
+-    rv = apr_socket_create(&conn->sock, family, SOCK_STREAM, 0, np);
+-
+-    if (rv != APR_SUCCESS) {
+-        apr_pool_destroy(np);
+-        return rv;
+-    }
+-
+     conn->buffer = apr_palloc(conn->p, BUFFER_SIZE + 1);
+     conn->blen = 0;
+     conn->ms = ms;
--- a/SPECS/apr-util.spec
+++ b/SPECS/apr-util.spec
@ -16,22 +16,26 @@
 Summary: Apache Portable Runtime Utility library
 Name: apr-util
 Version: 1.6.1
-Release: 20%{?dist}
+Release: 9%{?dist}
 License: ASL 2.0
-URL: https://apr.apache.org/
-Source0: https://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2
+Group: System Environment/Libraries
+URL: http://apr.apache.org/
+Source0: http://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2
 Patch1: apr-util-1.2.7-pkgconf.patch
 Patch4: apr-util-1.4.1-private.patch
 Patch5: apr-util-mariadb-upstream.patch
-BuildRequires: gcc
+# https://bugzilla.redhat.com/show_bug.cgi?id=2063562
+Patch6: apr-util-1.6.1-r1907242+.patch
+
+# Security patches:
+# https://bugzilla.redhat.com/show_bug.cgi?id=2169652
+Patch100: apr-util-1.6.1-CVE-2022-25147.patch
+
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildRequires: autoconf, apr-devel >= 1.3.0
 BuildRequires: %{dbdep}, expat-devel, libuuid-devel
+Recommends: apr-util-bdb%{?_isa} = %{version}-%{release}
 Recommends: apr-util-openssl%{_isa} = %{version}-%{release}
-%if 0%{?fedora} < 27
-Requires: apr-util-bdb%{?_isa} = %{version}-%{release}
-%else
-Recommends: apr-util-bdb%{_isa} = %{version}-%{release}
-%endif

 %description
 The mission of the Apache Portable Runtime (APR) is to provide a
@ -40,6 +44,7 @@ contains additional utility interfaces for APR; including support
 for XML, LDAP, database interfaces, URI parsing and more.

 %package devel
+Group: Development/Libraries
 Summary: APR utility library development kit
 Requires: apr-util%{?_isa} = %{version}-%{release}, apr-devel%{?_isa}, pkgconfig
 Requires: %{dbdep}%{?_isa}, expat-devel%{?_isa}, openldap-devel%{?_isa}
@ -51,8 +56,9 @@ of the Apache Portable Runtime (APR) is to provide a free
 library of C data structures and routines.

 %package pgsql
+Group: Development/Libraries
 Summary: APR utility library PostgreSQL DBD driver
-BuildRequires: libpq-devel
+BuildRequires: postgresql-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}

 %description pgsql
@ -60,7 +66,9 @@ This package provides the PostgreSQL driver for the apr-util
 DBD (database abstraction) interface.

 %package bdb
+Group: Development/Libraries
 Summary: APR utility library Berkeley DB driver
+BuildRequires: postgresql-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}

 %description bdb
@ -68,6 +76,7 @@ This package provides the Berkeley DB driver for the apr-util
 DBM (database abstraction) interface.

 %package mysql
+Group: Development/Libraries
 Summary: APR utility library MySQL DBD driver
 BuildRequires: mariadb-connector-c-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}
@ -77,6 +86,7 @@ This package provides the MySQL driver for the apr-util DBD
 (database abstraction) interface.

 %package sqlite
+Group: Development/Libraries
 Summary: APR utility library SQLite DBD driver
 BuildRequires: sqlite-devel >= 3.0.0
 Requires: apr-util%{?_isa} = %{version}-%{release}
@ -86,6 +96,7 @@ This package provides the SQLite driver for the apr-util DBD
 (database abstraction) interface.

 %package odbc
+Group: Development/Libraries
 Summary: APR utility library ODBC DBD driver
 BuildRequires: unixODBC-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}
@ -95,6 +106,7 @@ This package provides the ODBC driver for the apr-util DBD
 (database abstraction) interface.

 %package ldap
+Group: Development/Libraries
 Summary: APR utility library LDAP support
 BuildRequires: openldap-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}
@ -103,6 +115,7 @@ Requires: apr-util%{?_isa} = %{version}-%{release}
 This package provides the LDAP support for the apr-util.

 %package openssl
+Group: Development/Libraries
 Summary: APR utility library OpenSSL crypto support
 BuildRequires: openssl-devel
 Requires: apr-util%{?_isa} = %{version}-%{release}
@ -112,9 +125,9 @@ This package provides the OpenSSL crypto support for the apr-util.

 %if %{with_nss}
 %package nss
+Group: Development/Libraries
 Summary: APR utility library NSS crypto support
 BuildRequires: nss-devel
-BuildRequires: make
 Requires: apr-util%{?_isa} = %{version}-%{release}

 %description nss
@ -126,6 +139,9 @@ This package provides the NSS crypto support for the apr-util.
 %patch1 -p1 -b .pkgconf
 %patch4 -p1 -b .private
 %patch5 -p1 -b .maria
+%patch6 -p1 -b .r1907242
+
+%patch100 -p1 -b .CVE-2022-25147

 %build
 autoheader && autoconf
@ -144,11 +160,11 @@ export ac_cv_ldap_set_rebind_proc_style=three
 %else
        --without-nss
 %endif
-%{make_build}
+make %{?_smp_mflags}

 %install
 rm -rf $RPM_BUILD_ROOT
-%{make_install}
+make install DESTDIR=$RPM_BUILD_ROOT

 mkdir -p $RPM_BUILD_ROOT/%{_datadir}/aclocal
 install -m 644 build/find_apu.m4 $RPM_BUILD_ROOT/%{_datadir}/aclocal
@ -173,45 +189,60 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/apr-util-%{apuver}/*.*a
 # Run the less verbose test suites
 export MALLOC_CHECK_=2 MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
 cd test
-%{make_build} testall
+make %{?_smp_mflags} testall
 # testall breaks with DBD DSO; ignore
 export LD_LIBRARY_PATH=%{buildroot}/%{_libdir}/apr-util-%{apuver}
 ./testall -v -q

-%ldconfig_scriptlets
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig

 %files
+%defattr(-,root,root,-)
 %doc CHANGES LICENSE NOTICE
 %{_libdir}/libaprutil-%{apuver}.so.*
 %dir %{_libdir}/apr-util-%{apuver}

 %files bdb
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_dbm_db*

 %files pgsql
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_dbd_pgsql*

 %files mysql
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_dbd_mysql*

 %files sqlite
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_dbd_sqlite*

 %files odbc
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_dbd_odbc*

 %files ldap
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_ldap*

 %files openssl
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_crypto_openssl*

 %if %{with_nss}
 %files nss
+%defattr(-,root,root,-)
 %{_libdir}/apr-util-%{apuver}/apr_crypto_nss*
 %endif

 %files devel
+%defattr(-,root,root,-)
 %{_bindir}/apu-%{apuver}-config
 %{_libdir}/libaprutil-%{apuver}.*a
 %{_libdir}/libaprutil-%{apuver}.so
@ -220,54 +251,17 @@ export LD_LIBRARY_PATH=%{buildroot}/%{_libdir}/apr-util-%{apuver}
 %{_datadir}/aclocal/*.m4

 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-20
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
+* Tue Jun 27 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.6.1-9
+- Related: #2063562 - mod_auth_openidc fails with IPv6 OIDCMemCacheServers

-* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 1.6.1-19
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097)
+* Mon Jun 12 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.6.1-8
+- Resolves: #2063562 - mod_auth_openidc fails with IPv6 OIDCMemCacheServers

-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-18
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
+* Wed May 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.6.1-7
+- Resolves: #2196573 - CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.6.1-17
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 1.6.1-16
- rebuild for libpq ABI fix rhbz#1908268
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon May 04 2020 Tom Stellard <tstellar@redhat.com> - 1.6.1-13
- Use make_build and make_install macros
- https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1.6.1-9
- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Wed Sep 26 2018 Joe Orton <jorton@redhat.com> - 1.6.1-8
- Recommends: -openssl and -bdb so default crypto, dbm drivers are
-  always available (#1491151, #1633152)
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Fri Mar  9 2018 Bojan Smojver <bojan@rexursive.com> - 1.6.1-6
- add gcc build requirement
+* Mon Oct  1 2018 Joe Orton <jorton@redhat.com> - 1.6.1-6
+- Recommends: apr-util-openssl, apr-util-bdb (#1633973)

 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild