From $URL: "Severity: moderate Description: Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0." apr 1.7.2 includes fixes. www-servers/apache depends on dev-libs/apr via apache-2.eclass, so anyone using Apache httpd has apr. The advisory doesn't elaborate on what conditions are necessary for malicious inputs to be passed to the vulnerable functions. httpd-2.4.55/modules/tls/tls_cert.c calls apr_encode_base64 a couple of times, and of course there are tens of thousands of other mentions of apr_, some of which may call apr_encode* indirectly.
I'll handle this & apr-util.
(In reply to Sam James from comment #1) > I'll handle this & apr-util. Thanks. Started to work on this during the morning, but some missing patches need to be checked if we still need them. This worked for me (with apache 2.4.55 on amd64): --- /usr/portage/dev-libs/apr-util/apr-util-1.6.1-r10.ebuild 2022-12-18 14:10:24.000000000 +0000 +++ apr-util-1.6.3.ebuild 2023-02-07 04:18:51.073557958 +0000 @@ -1,11 +1,10 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI="8" # Usually apr-util has the same PV as apr, but in case of security fixes, this may change. -# APR_PV="${PV}" -APR_PV="1.7.0-r6" +APR_PV="${PV}" inherit autotools db-use libtool multilib toolchain-funcs @@ -15,7 +14,7 @@ LICENSE="Apache-2.0" SLOT="1" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" IUSE="berkdb doc gdbm ldap mysql nss odbc openssl postgres sqlite static-libs" #RESTRICT="test" @@ -48,9 +47,7 @@ PATCHES=( "${FILESDIR}"/${PN}-1.5.3-sysroot.patch #385775 - "${FILESDIR}"/${PN}-1.6.1-fix-gdbm-error-handling.patch "${FILESDIR}"/${PN}-1.6.1-libtool.patch # 779487 - "${FILESDIR}"/${PN}-1.6.1-mariadb-support.patch "${FILESDIR}"/${PN}-1.6.1-my_bool.patch "${FILESDIR}"/${PN}-1.6.1-drop-my_init.patch ) --- /usr/portage/dev-libs/apr/apr-1.7.0-r6.ebuild 2022-12-17 19:40:11.000000000 +0000 +++ apr-1.7.2.ebuild 2023-02-07 04:21:11.093052801 +0000 @@ -1,7 +1,7 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI="8" inherit autotools libtool toolchain-funcs @@ -11,7 +11,7 @@ LICENSE="Apache-2.0" SLOT="1/${PV%.*}" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" IUSE="doc older-kernels-compatibility selinux static-libs +urandom" # See bug #815265 for libcrypt dependency @@ -28,13 +28,13 @@ PATCHES=( "${FILESDIR}"/${PN}-1.5.0-mint.patch "${FILESDIR}"/${PN}-1.5.0-libtool.patch - "${FILESDIR}"/${PN}-1.5.0-cross-types.patch - "${FILESDIR}"/${PN}-1.5.0-sysroot.patch #385775 +# "${FILESDIR}"/${PN}-1.5.0-cross-types.patch +# "${FILESDIR}"/${PN}-1.5.0-sysroot.patch #385775 "${FILESDIR}"/${PN}-1.6.3-skip-known-failing-tests.patch - "${FILESDIR}"/${PN}-1.7.0-autoconf-2.70.patch #750353 +# "${FILESDIR}"/${PN}-1.7.0-autoconf-2.70.patch #750353 "${FILESDIR}"/${PN}-1.7.0-CVE-2021-35940.patch #828545 - "${FILESDIR}"/${PN}-1.7.0-clang-16.patch #870004 - "${FILESDIR}"/${PN}-1.7.0-dev-zero.patch #830833 +# "${FILESDIR}"/${PN}-1.7.0-clang-16.patch #870004 +# "${FILESDIR}"/${PN}-1.7.0-dev-zero.patch #830833 ) src_prepare() {
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75b2b9521e8558b0f0d15332839bbdb0e0406c23 commit 75b2b9521e8558b0f0d15332839bbdb0e0406c23 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-13 06:47:30 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-13 06:54:53 +0000 dev-libs/apr-util: add 1.6.3 Bug: https://bugs.gentoo.org/811765 Bug: https://bugs.gentoo.org/870004 Bug: https://bugs.gentoo.org/893406 Closes: https://bugs.gentoo.org/875167 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/apr-util/Manifest | 1 + dev-libs/apr-util/apr-util-1.6.3.ebuild | 147 +++++++++++++++++++++ .../files/apr-util-1.6.3-fix-pkgconfig-libs.patch | 29 ++++ 3 files changed, 177 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f8fe2b7fedf4372a89b3a11865c04a645a84c88 commit 7f8fe2b7fedf4372a89b3a11865c04a645a84c88 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-02-13 06:28:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-13 06:54:07 +0000 dev-libs/apr: add 1.7.2 Bug: https://bugs.gentoo.org/870004 Bug: https://bugs.gentoo.org/875167 Bug: https://bugs.gentoo.org/893406 Closes: https://bugs.gentoo.org/811765 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/apr/Manifest | 1 + dev-libs/apr/apr-1.7.2.ebuild | 167 +++++++++++++++++++++ .../apr/files/apr-1.7.2-fix-pkgconfig-libs.patch | 35 +++++ dev-libs/apr/files/apr-1.7.2-libtool.patch | 16 ++ dev-libs/apr/files/apr-1.7.2-respect-flags.patch | 22 +++ dev-libs/apr/files/apr-1.7.2-sysroot.patch | 37 +++++ dev-libs/apr/metadata.xml | 1 + 7 files changed, 279 insertions(+)
This kind of took as much work as I expected (a lot) because of the huge number of patches we had and how delicate they are
(In reply to Sam James from comment #4) > This kind of took as much work as I expected (a lot) because of the huge > number of patches we had and how delicate they are comment got cut off: This kind of took as much work as I expected (a lot) because of number of patches we had and how delicate they are, but I think it's a bit tidier now and bumps should be easier in future. I'll stable Apache now for bug 891211 and give apr a day or two to soak given how delicate it's been in the past. It's had a tendency to break reverse dependencies.
(In reply to Sam James from comment #5) > (In reply to Sam James from comment #4) > > This kind of took as much work as I expected (a lot) because of the huge > > number of patches we had and how delicate they are > > comment got cut off: This kind of took as much work as I expected (a lot) > because of number of patches we had and how delicate they are, but I think > it's a bit tidier now and bumps should be easier in future. > > I'll stable Apache now for bug 891211 and give apr a day or two to soak > given how delicate it's been in the past. It's had a tendency to break > reverse dependencies. Thanks, I'll test it out!
Tested on 3 machines (~amd64/amd64), works fine, thanks Sam!
Cleanup done.
