Fix CVE-2022-25147
This commit is contained in:
fly_fzc
parent
66bb282474
commit
2a924db058
@ -2,7 +2,7 @@
|
||||
|
||||
Name: apr-util
|
||||
Version: 1.6.1
|
||||
Release: 13
|
||||
Release: 14
|
||||
Summary: apr-util provides a number of helpful abstractions on top of APR.
|
||||
License: ASL 2.0
|
||||
URL: http://apr.apache.org
|
||||
@ -14,6 +14,7 @@ Patch6002: Fix-error-handling-in-gdbm.patch
|
||||
Patch6003: Merge-r1834022-r1834023-r1834024-from-trunk.patch
|
||||
Patch6004: Remove-dereference-of-null-pointer.patch
|
||||
Patch6005: apr-util-Add-sw64-architecture.patch
|
||||
Patch6006: backport-CVE-2022-25147-apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch
|
||||
|
||||
BuildRequires: gcc autoconf apr-devel >= 1.6.0 gdbm-devel expat-devel libuuid-devel
|
||||
BuildRequires: mariadb-connector-c-devel sqlite-devel >= 3.1.0 openldap-devel openssl-devel
|
||||
@ -124,6 +125,9 @@ make test
|
||||
%{_libdir}/%{name}-%{apuver}/apr_dbd_odbc*
|
||||
|
||||
%changelog
|
||||
* Tue Feb 14 2023 fuanan <fuanan3@h-partners.com> - 1.6.1-14
|
||||
- Fix CVE-2022-25147
|
||||
|
||||
* Thu Jul 28 2022 wuzx<wuzx1226@qq.com> - 1.6.1-13
|
||||
- add sw64 patch
|
||||
|
||||
|
||||
@ -0,0 +1,159 @@
|
||||
From 850cc4f69639ac9f1c1c9767efaf4883ee3217ce Mon Sep 17 00:00:00 2001
|
||||
From: Yann Ylavic <ylavic@apache.org>
|
||||
Date: Thu, 23 Jun 2022 15:12:47 +0000
|
||||
Subject: [PATCH] apr_base64: Make sure encoding/decoding lengths fit in an int
|
||||
>= 0.
|
||||
|
||||
The (old) API of apr_base64 functions has always used int for representing
|
||||
lengths and it does not return errors. Make sure to abort() if the provided
|
||||
data don't fit.
|
||||
|
||||
* encoding/apr_base64.c():
|
||||
#define APR_BASE64_ENCODE_MAX and APR_BASE64_DECODE_MAX as the hard length
|
||||
limits for encoding and decoding respectively.
|
||||
|
||||
* encoding/apr_base64.c(apr_base64_encode_len, apr_base64_encode,
|
||||
apr_base64_encode_binary, apr_pbase64_encode):
|
||||
abort() if the given length is above APR_BASE64_ENCODE_MAX.
|
||||
|
||||
* encoding/apr_base64.c(apr_base64_decode_len, apr_base64_decode,
|
||||
apr_base64_decode_binary, apr_pbase64_decode):
|
||||
abort() if the given plain buffer length is above APR_BASE64_DECODE_MAX.
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1902206 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
encoding/apr_base64.c | 46 ++++++++++++++++++++++++++-----------------
|
||||
1 file changed, 28 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
|
||||
index b4b28cf75..f5c2786ad 100644
|
||||
--- a/encoding/apr_base64.c
|
||||
+++ b/encoding/apr_base64.c
|
||||
@@ -20,11 +20,20 @@
|
||||
* ugly 'len' functions, which is quite a nasty cost.
|
||||
*/
|
||||
|
||||
+#undef NDEBUG /* always abort() on assert()ion failure */
|
||||
+#include <assert.h>
|
||||
+
|
||||
#include "apr_base64.h"
|
||||
#if APR_CHARSET_EBCDIC
|
||||
#include "apr_xlate.h"
|
||||
#endif /* APR_CHARSET_EBCDIC */
|
||||
|
||||
+/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
|
||||
+#define APR_BASE64_ENCODE_MAX 1610612733
|
||||
+
|
||||
+/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
|
||||
+#define APR_BASE64_DECODE_MAX 2863311524u
|
||||
+
|
||||
/* aaaack but it's fast and const should make it shared text page. */
|
||||
static const unsigned char pr2six[256] =
|
||||
{
|
||||
@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
|
||||
|
||||
APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
|
||||
{
|
||||
- int nbytesdecoded;
|
||||
register const unsigned char *bufin;
|
||||
register apr_size_t nprbytes;
|
||||
|
||||
bufin = (const unsigned char *) bufcoded;
|
||||
while (pr2six[*(bufin++)] <= 63);
|
||||
-
|
||||
nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
|
||||
- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
|
||||
+ assert(nprbytes <= APR_BASE64_DECODE_MAX);
|
||||
|
||||
- return nbytesdecoded + 1;
|
||||
+ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
|
||||
}
|
||||
|
||||
APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
|
||||
{
|
||||
#if APR_CHARSET_EBCDIC
|
||||
apr_size_t inbytes_left, outbytes_left;
|
||||
-#endif /* APR_CHARSET_EBCDIC */
|
||||
+#endif /* APR_CHARSET_EBCDIC */
|
||||
int len;
|
||||
|
||||
len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
|
||||
@@ -154,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
|
||||
bufin = (const unsigned char *) bufcoded;
|
||||
while (pr2six[*(bufin++)] <= 63);
|
||||
nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
|
||||
- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
|
||||
+ assert(nprbytes <= APR_BASE64_DECODE_MAX);
|
||||
+ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
|
||||
|
||||
bufout = (unsigned char *) bufplain;
|
||||
bufin = (const unsigned char *) bufcoded;
|
||||
|
||||
- while (nprbytes > 4) {
|
||||
+ while (nprbytes >= 4) {
|
||||
*(bufout++) =
|
||||
(unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
|
||||
*(bufout++) =
|
||||
@@ -179,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
|
||||
*(bufout++) =
|
||||
(unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
|
||||
}
|
||||
- if (nprbytes > 3) {
|
||||
- *(bufout++) =
|
||||
- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
|
||||
- }
|
||||
|
||||
- nbytesdecoded -= (4 - (int)nprbytes) & 3;
|
||||
- return nbytesdecoded;
|
||||
+ return nbytesdecoded - (int)((4u - nprbytes) & 3u);
|
||||
}
|
||||
|
||||
static const char basis_64[] =
|
||||
@@ -203,6 +206,8 @@ static const char basis_64[] =
|
||||
|
||||
APU_DECLARE(int) apr_base64_encode_len(int len)
|
||||
{
|
||||
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
|
||||
+
|
||||
return ((len + 2) / 3 * 4) + 1;
|
||||
}
|
||||
|
||||
@@ -214,6 +219,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
|
||||
int i;
|
||||
char *p;
|
||||
|
||||
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
|
||||
+
|
||||
p = encoded;
|
||||
for (i = 0; i < len - 2; i += 3) {
|
||||
*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
|
||||
@@ -238,7 +245,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
|
||||
}
|
||||
|
||||
*p++ = '\0';
|
||||
- return p - encoded;
|
||||
+ return (unsigned int)(p - encoded);
|
||||
#endif /* APR_CHARSET_EBCDIC */
|
||||
}
|
||||
|
||||
@@ -251,6 +258,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
|
||||
int i;
|
||||
char *p;
|
||||
|
||||
+ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
|
||||
+
|
||||
p = encoded;
|
||||
for (i = 0; i < len - 2; i += 3) {
|
||||
*p++ = basis_64[(string[i] >> 2) & 0x3F];
|
||||
@@ -275,5 +284,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
|
||||
}
|
||||
|
||||
*p++ = '\0';
|
||||
- return (int)(p - encoded);
|
||||
+ return (unsigned int)(p - encoded);
|
||||
}
|
||||
--
|
||||
2.27.0
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user