packages/apr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2017-12613

Browse Source
This commit is contained in:
linwei9 2020-06-24 17:31:17 +08:00
parent 03ed364cef
commit 10a509424e
2 changed files with 66 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
Bounds-check-human-readable-date-fields-credit-Stefa.patch Normal file
View File

@ -0,0 +1,53 @@
From ad958385a4180d7a83d90589689fcd36e3bbc57a Mon Sep 17 00:00:00 2001
From: Nick Kew <niq@apache.org>
Date: Sun, 10 Sep 2017 22:30:14 +0000
Subject: [PATCH] Bounds-check human-readable date fields (credit: Stefan
Sperling)
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1807975 13f79535-47bb-0310-9956-ffa450edef68
---
time/unix/time.c | 3 +++
time/win32/time.c | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/time/unix/time.c b/time/unix/time.c
index dfa45e6..7f09581 100644
--- a/time/unix/time.c
+++ b/time/unix/time.c
@@ -142,6 +142,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_get(apr_time_t *t, apr_time_exp_t *xt)
static const int dayoffset[12] =
{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+ return APR_EBADDATE;
+
/* shift new year to 1st March in order to make leap year calc easy */
if (xt->tm_mon < 2)
diff --git a/time/win32/time.c b/time/win32/time.c
index 2349799..1a70544 100644
--- a/time/win32/time.c
+++ b/time/win32/time.c
@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_time_exp_t *xt, SYSTEMTIME *tm)
static const int dayoffset[12] =
{0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ if (tm->wMonth < 1 || tm->wMonth > 12)
+ return APR_EBADDATE;
+
/* Note; the caller is responsible for filling in detailed tm_usec,
* tm_gmtoff and tm_isdst data when applicable.
*/
@@ -224,6 +227,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_get(apr_time_t *t,
static const int dayoffset[12] =
{306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+ return APR_EBADDATE;
+
/* shift new year to 1st March in order to make leap year calc easy */
if (xt->tm_mon < 2)
--
1.8.3.1

19
apr.spec
View File

@ -2,7 +2,7 @@
Name: apr Name: apr
Version: 1.6.5 Version: 1.6.5
Release: 4 Release: 5
Summary: Apache Portable Runtime. Summary: Apache Portable Runtime.
License: ASL 2.0 and BSD with advertising and ISC and BSD License: ASL 2.0 and BSD with advertising and ISC and BSD
URL: http://apr.apache.org URL: http://apr.apache.org
@ -12,11 +12,12 @@ Source1: apr-wrapper.h
Patch0: apr-1.2.2-libdir.patch Patch0: apr-1.2.2-libdir.patch
Patch1: apr-1.2.7-pkgconf.patch Patch1: apr-1.2.7-pkgconf.patch
Patch6000: Merge-r1834494-from-trunk.patch Patch0000: Merge-r1834494-from-trunk.patch
Patch6001: test-testlock.c-test_timeoutcond-Increase-fudge-fact.patch Patch0001: test-testlock.c-test_timeoutcond-Increase-fudge-fact.patch
Patch6002: Split-apr_pool_check_integrity-into-two-parts.patch Patch0002: Split-apr_pool_check_integrity-into-two-parts.patch
Patch6003: Pool-debugging-fixes.patch Patch0003: Pool-debugging-fixes.patch
Patch6004: Fix-pool-debugging-output-so-that-creation-events-ar.patch Patch0004: Fix-pool-debugging-output-so-that-creation-events-ar.patch
Patch0005: Bounds-check-human-readable-date-fields-credit-Stefa.patch
BuildRequires: gcc autoconf libtool libuuid-devel python3 lksctp-tools-devel BuildRequires: gcc autoconf libtool libuuid-devel python3 lksctp-tools-devel
@ -100,6 +101,12 @@ make check
%doc docs/incomplete_types docs/non_apr_programs %doc docs/incomplete_types docs/non_apr_programs
%changelog %changelog
* Wed Jun 24 2020 linwei<linwei54@huawei.com> - 1.6.5-5
- Type: cves
- ID: CVE-2017-12613
- SUG: restart
- DESC: fix CVE-2017-12613
* Tue Dec 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.6.5-4 * Tue Dec 17 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.6.5-4
- quality enhancement synchronization github patch - quality enhancement synchronization github patch