packages/apr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2022-24963

Browse Source
This commit is contained in:
fly_fzc 2023-02-13 11:33:22 +08:00
parent cf50d631f9
commit 590e60ccf1
5 changed files with 3288 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apr.spec
View File

@ -2,7 +2,7 @@
Name: apr Name: apr
Version: 1.7.0 Version: 1.7.0
Release: 4 Release: 5
Summary: Apache Portable Runtime. Summary: Apache Portable Runtime.
License: ASL 2.0 and BSD with advertising and ISC and BSD License: ASL 2.0 and BSD with advertising and ISC and BSD
URL: http://apr.apache.org URL: http://apr.apache.org
@ -16,6 +16,10 @@ Patch3: Pool-debugging-fixes.patch
Patch4: Fix-pool-debugging-output-so-that-creation-events-ar.patch Patch4: Fix-pool-debugging-output-so-that-creation-events-ar.patch
Patch5: backport-CVE-2017-12613-Bounds-check-human-readable-date-fields.patch Patch5: backport-CVE-2017-12613-Bounds-check-human-readable-date-fields.patch
Patch6: backport-build-apr_common.me-avoid-explicit-inclusion-if-conf.patch Patch6: backport-build-apr_common.me-avoid-explicit-inclusion-if-conf.patch
Patch7: backport-Address-some-warnings-raised-by-MSVC-32-64.patch
Patch8: backport-apr_encode_base32-fix-advertised-output-len-when-cal.patch
Patch9: backport-apr_decode_base-64-32-16-stop-reading-before-not-inc.patch
Patch10:backport-CVE-2022-24963-encoding-Better-check-inputs-of-apr_-encode-decode-_.patch
BuildRequires: gcc autoconf libtool libuuid-devel python3 lksctp-tools-devel BuildRequires: gcc autoconf libtool libuuid-devel python3 lksctp-tools-devel
@ -99,6 +103,12 @@ make check
%doc docs/incomplete_types docs/non_apr_programs %doc docs/incomplete_types docs/non_apr_programs
%changelog %changelog
* Mon Feb 13 2023 fuanan <fuanan3@h-partners.com> - 1.7.0-5
- Type:CVE
- ID:CVE-2022-24963
- SUG:NA
- DESC:Fix CVE-2022-24963
* Thu Mar 31 2022 panxiaohe <panxh.life@foxmail.com> - 1.7.0-4 * Thu Mar 31 2022 panxiaohe <panxh.life@foxmail.com> - 1.7.0-4
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA

181
backport-Address-some-warnings-raised-by-MSVC-32-64.patch Normal file
View File

@ -0,0 +1,181 @@
From 66e41846004d40fd6d12811fd0acf08920a3d1cd Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 3 Apr 2019 13:54:46 +0000
Subject: [PATCH] Address some warnings raised by MSVC-32/64.
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1856873 13f79535-47bb-0310-9956-ffa450edef68
---
atomic/win32/apr_atomic64.c | 50 ++++++++-----------------------------
encoding/apr_encode.c | 4 +--
file_io/win32/seek.c | 2 +-
memory/unix/apr_pools.c | 8 +++---
4 files changed, 18 insertions(+), 46 deletions(-)
diff --git a/atomic/win32/apr_atomic64.c b/atomic/win32/apr_atomic64.c
index a5acc945e..e2cd06d6c 100644
--- a/atomic/win32/apr_atomic64.c
+++ b/atomic/win32/apr_atomic64.c
@@ -18,55 +18,35 @@
#include "apr_atomic.h"
#include "apr_thread_mutex.h"
-APR_DECLARE(apr_uint64_t) apr_atomic_add64(volatile apr_uint64_t *mem, apr_uint64_t val)
-{
-#if (defined(_M_IA64) || defined(_M_AMD64))
- return InterlockedExchangeAdd64(mem, val);
-#else
- return InterlockedExchangeAdd64((long *)mem, val);
-#endif
-}
-
/* Of course we want the 2's compliment of the unsigned value, val */
#ifdef _MSC_VER
#pragma warning(disable: 4146)
#endif
+APR_DECLARE(apr_uint64_t) apr_atomic_add64(volatile apr_uint64_t *mem, apr_uint64_t val)
+{
+ return InterlockedExchangeAdd64((volatile LONG64 *)mem, val);
+}
+
APR_DECLARE(void) apr_atomic_sub64(volatile apr_uint64_t *mem, apr_uint64_t val)
{
-#if (defined(_M_IA64) || defined(_M_AMD64))
- InterlockedExchangeAdd64(mem, -val);
-#else
- InterlockedExchangeAdd64((long *)mem, -val);
-#endif
+ InterlockedExchangeAdd64((volatile LONG64 *)mem, -val);
}
APR_DECLARE(apr_uint64_t) apr_atomic_inc64(volatile apr_uint64_t *mem)
{
/* we return old value, win64 returns new value :( */
-#if (defined(_M_IA64) || defined(_M_AMD64)) && !defined(RC_INVOKED)
- return InterlockedIncrement64(mem) - 1;
-#else
- return InterlockedIncrement64((long *)mem) - 1;
-#endif
+ return InterlockedIncrement64((volatile LONG64 *)mem) - 1;
}
APR_DECLARE(int) apr_atomic_dec64(volatile apr_uint64_t *mem)
{
-#if (defined(_M_IA64) || defined(_M_AMD64)) && !defined(RC_INVOKED)
- return InterlockedDecrement64(mem);
-#else
- return InterlockedDecrement64((long *)mem);
-#endif
+ return !!InterlockedDecrement64((volatile LONG64 *)mem);
}
APR_DECLARE(void) apr_atomic_set64(volatile apr_uint64_t *mem, apr_uint64_t val)
{
-#if (defined(_M_IA64) || defined(_M_AMD64)) && !defined(RC_INVOKED)
- InterlockedExchange64(mem, val);
-#else
- InterlockedExchange64((long*)mem, val);
-#endif
+ InterlockedExchange64((volatile LONG64 *)mem, val);
}
APR_DECLARE(apr_uint64_t) apr_atomic_read64(volatile apr_uint64_t *mem)
@@ -77,18 +57,10 @@ APR_DECLARE(apr_uint64_t) apr_atomic_read64(volatile apr_uint64_t *mem)
APR_DECLARE(apr_uint64_t) apr_atomic_cas64(volatile apr_uint64_t *mem, apr_uint64_t with,
apr_uint64_t cmp)
{
-#if (defined(_M_IA64) || defined(_M_AMD64)) && !defined(RC_INVOKED)
- return InterlockedCompareExchange64(mem, with, cmp);
-#else
- return InterlockedCompareExchange64((long*)mem, with, cmp);
-#endif
+ return InterlockedCompareExchange64((volatile LONG64 *)mem, with, cmp);
}
APR_DECLARE(apr_uint64_t) apr_atomic_xchg64(volatile apr_uint64_t *mem, apr_uint64_t val)
{
-#if (defined(_M_IA64) || defined(_M_AMD64)) && !defined(RC_INVOKED)
- return InterlockedExchange64(mem, val);
-#else
- return InterlockedExchange64((long *)mem, val);
-#endif
+ return InterlockedExchange64((volatile LONG64 *)mem, val);
}
diff --git a/encoding/apr_encode.c b/encoding/apr_encode.c
index 905185921..e44ae11f0 100644
--- a/encoding/apr_encode.c
+++ b/encoding/apr_encode.c
@@ -1062,7 +1062,7 @@ APR_DECLARE(apr_status_t) apr_encode_base16(char *dest,
const char *src, apr_ssize_t slen, int flags, apr_size_t * len)
{
const char *in = src;
- apr_size_t size;
+ apr_ssize_t size;
if (!src) {
return APR_NOTFOUND;
@@ -1115,7 +1115,7 @@ APR_DECLARE(apr_status_t) apr_encode_base16_binary(char *dest,
const unsigned char *src, apr_ssize_t slen, int flags, apr_size_t * len)
{
const unsigned char *in = src;
- apr_size_t size;
+ apr_ssize_t size;
if (!src) {
return APR_NOTFOUND;
diff --git a/file_io/win32/seek.c b/file_io/win32/seek.c
index afe6edb00..dfef57716 100644
--- a/file_io/win32/seek.c
+++ b/file_io/win32/seek.c
@@ -170,7 +170,7 @@ APR_DECLARE(apr_status_t) apr_file_trunc(apr_file_t *thefile, apr_off_t offset)
thefile->bufpos = 0;
}
else if (offset < thefile->filePtr + (apr_off_t)thefile->bufpos) {
- thefile->bufpos = offset - thefile->filePtr;
+ thefile->bufpos = (apr_size_t)(offset - thefile->filePtr);
}
if (thefile->bufpos != 0) {
diff --git a/memory/unix/apr_pools.c b/memory/unix/apr_pools.c
index 5fa7da1b5..0ca715efa 100644
--- a/memory/unix/apr_pools.c
+++ b/memory/unix/apr_pools.c
@@ -407,7 +407,7 @@ apr_memnode_t *allocator_alloc(apr_allocator_t *allocator, apr_size_t in_size)
return NULL;
}
#endif
- node->index = index;
+ node->index = (apr_uint32_t)index;
node->endp = (char *)node + size;
have_node:
@@ -877,7 +877,7 @@ APR_DECLARE(void *) apr_palloc(apr_pool_t *pool, apr_size_t in_size)
free_index = (APR_ALIGN(active->endp - active->first_avail + 1,
BOUNDARY_SIZE) - BOUNDARY_SIZE) >> BOUNDARY_INDEX;
- active->free_index = free_index;
+ active->free_index = (apr_uint32_t)free_index;
node = active->next;
if (free_index >= node->free_index)
goto have_mem;
@@ -1289,7 +1289,7 @@ static int psprintf_flush(apr_vformatter_buff_t *vbuff)
free_index = (APR_ALIGN(active->endp - active->first_avail + 1,
BOUNDARY_SIZE) - BOUNDARY_SIZE) >> BOUNDARY_INDEX;
- active->free_index = free_index;
+ active->free_index = (apr_uint32_t)free_index;
node = active->next;
if (free_index < node->free_index) {
do {
@@ -1445,7 +1445,7 @@ APR_DECLARE(char *) apr_pvsprintf(apr_pool_t *pool, const char *fmt, va_list ap)
free_index = (APR_ALIGN(active->endp - active->first_avail + 1,
BOUNDARY_SIZE) - BOUNDARY_SIZE) >> BOUNDARY_INDEX;
- active->free_index = free_index;
+ active->free_index = (apr_uint32_t)free_index;
node = active->next;
if (free_index >= node->free_index) {
--
2.27.0

2870
backport-CVE-2022-24963-encoding-Better-check-inputs-of-apr_-encode-decode-_.patch Normal file
View File

File diff suppressed because it is too large Load Diff

199
backport-apr_decode_base-64-32-16-stop-reading-before-not-inc.patch Normal file
View File

@ -0,0 +1,199 @@
From e70d77ecc4aa9e0dccac6e7e5ba74639f71f50cf Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 27 Nov 2020 17:04:06 +0000
Subject: [PATCH] apr_decode_base{64,32,16}: stop reading before (not
including) NUL byte.
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1883870 13f79535-47bb-0310-9956-ffa450edef68
---
encoding/apr_encode.c | 60 ++++++++++++++++++++++++++++++-------------
test/testencode.c | 24 ++++++++++++-----
2 files changed, 59 insertions(+), 25 deletions(-)
diff --git a/encoding/apr_encode.c b/encoding/apr_encode.c
index b3278c7fd..bc2dc5437 100644
--- a/encoding/apr_encode.c
+++ b/encoding/apr_encode.c
@@ -394,11 +394,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64(char *dest, const char *src,
apr_status_t status;
bufin = (const unsigned char *)src;
- while (pr2six[*(bufin++)] < 64 && count)
+ while (count && pr2six[*bufin] < 64) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2six[*(bufin++)] > 64 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2six[*bufin] > 64) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
@@ -469,11 +473,15 @@ APR_DECLARE(apr_status_t) apr_decode_base64_binary(unsigned char *dest,
apr_status_t status;
bufin = (const unsigned char *)src;
- while (pr2six[*(bufin++)] < 64 && count)
+ while (count && pr2six[*bufin] < 64) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2six[*(bufin++)] > 64 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2six[*bufin] > 64) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
@@ -842,11 +850,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32(char *dest, const char *src,
}
bufin = (const unsigned char *)src;
- while (pr2[*(bufin++)] < 32 && count)
+ while (count && pr2[*bufin] < 32) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2[*(bufin++)] > 32 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2[*bufin] > 32) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
@@ -945,11 +957,15 @@ APR_DECLARE(apr_status_t) apr_decode_base32_binary(unsigned char *dest,
}
bufin = (const unsigned char *)src;
- while (pr2[*(bufin++)] < 32 && count)
+ while (count && pr2[*bufin] < 32) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2[*(bufin++)] > 32 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2[*bufin] > 32) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
@@ -1220,11 +1236,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16(char *dest,
count = slen;
bufin = (const unsigned char *)src;
- while (pr2two[*(bufin++)] != 16 && count)
+ while (count && pr2two[*bufin] != 16) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2two[*(bufin++)] > 16 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2two[*bufin] > 16) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
@@ -1310,11 +1330,15 @@ APR_DECLARE(apr_status_t) apr_decode_base16_binary(unsigned char *dest,
count = slen;
bufin = (const unsigned char *)src;
- while (pr2two[*(bufin++)] != 16 && count)
+ while (count && pr2two[*bufin] != 16) {
count--;
- nprbytes = (bufin - (const unsigned char *)src) - 1;
- while (pr2two[*(bufin++)] > 16 && count)
+ bufin++;
+ }
+ nprbytes = bufin - (const unsigned char *)src;
+ while (count && pr2two[*bufin] > 16) {
count--;
+ bufin++;
+ }
status = flags & APR_ENCODE_RELAXED ? APR_SUCCESS :
count ? APR_BADCH : APR_SUCCESS;
diff --git a/test/testencode.c b/test/testencode.c
index 3680fa380..ba23aaf28 100644
--- a/test/testencode.c
+++ b/test/testencode.c
@@ -134,37 +134,42 @@ static void test_decode_base64(abts_case * tc, void *data)
src = "";
target = "";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zg==";
target = "f";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
+
+ src = "Zg=";
+ target = "f";
+ dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zg";
target = "f";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zm8=";
target = "fo";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zm8";
target = "fo";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zm9v";
target = "foo";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
src = "Zm9v";
target = "foo";
dest = apr_pdecode_base64(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
- ABTS_STR_EQUAL(tc, dest, target);
+ ABTS_STR_EQUAL(tc, target, dest);
apr_pool_destroy(pool);
}
@@ -191,6 +196,11 @@ static void test_decode_base64_binary(abts_case * tc, void *data)
ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
ABTS_INT_EQUAL(tc, len, 1);
+ src = "Zg=";
+ udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
+ ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
+ ABTS_INT_EQUAL(tc, len, 1);
+
src = "Zg";
udest = apr_pdecode_base64_binary(pool, src, APR_ENCODE_STRING, APR_ENCODE_NONE, &len);
ABTS_ASSERT(tc, "apr_pdecode_base64_binary target!=dest", memcmp(ufoobar, udest, 1) == 0);
--
2.27.0

27
backport-apr_encode_base32-fix-advertised-output-len-when-cal.patch Normal file
View File

@ -0,0 +1,27 @@
From 2b0eb50e43667ce8cebf0bb745a0eb7d493385c2 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 27 Nov 2020 16:54:50 +0000
Subject: [PATCH] apr_encode_base32: fix advertised output *len when called
with dst == NULL.
git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1883868 13f79535-47bb-0310-9956-ffa450edef68
---
encoding/apr_encode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/encoding/apr_encode.c b/encoding/apr_encode.c
index e44ae11f0..b3278c7fd 100644
--- a/encoding/apr_encode.c
+++ b/encoding/apr_encode.c
@@ -665,7 +665,7 @@ APR_DECLARE(apr_status_t) apr_encode_base32(char *dest, const char *src,
}
if (len) {
- *len = ((slen + 2) / 3 * 4) + 1;
+ *len = ((slen + 4) / 5 * 8) + 1;
}
return APR_SUCCESS;
--
2.27.0