From https://lists.apache.org/thread/qw64qq2n230pjsmr3mhz2jon05q18qom: "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. The patch below addresses the issue: https://downloads.apache.org/apr/patches/apr-1.7.0-CVE-2021-35940.patch" Apparently a 1.7.1 release was planned a while ago but hasn't happened yet. So, please apply the patch.
Ping.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f00c644c3393ceb36ae94a52cad5f56ae4d6f60c commit f00c644c3393ceb36ae94a52cad5f56ae4d6f60c Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2022-08-20 08:22:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2022-08-20 08:23:11 +0000 dev-libs/apr: apply fix for CVE-2021-35940 Bug: https://bugs.gentoo.org/828545 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-libs/apr/apr-1.7.0-r5.ebuild | 162 ++++++++++++++++++++++ dev-libs/apr/files/apr-1.7.0-CVE-2021-35940.patch | 53 +++++++ 2 files changed, 215 insertions(+)
Thanks! Please stable when ready
Just an OOB read, no GLSA.