Hello community, here is the log from the commit of package libapr1 for openSUSE:11.3 checked in at Tue Jul 26 17:10:37 CEST 2011.
-------- --- old-versions/11.3/all/libapr1/libapr1.changes 2010-04-24 23:01:38.000000000 +0200 +++ 11.3/libapr1/libapr1.changes 2011-07-26 13:53:25.000000000 +0200 @@ -1,0 +2,7 @@ +Tue Jul 26 13:49:29 CEST 2011 - [email protected] + +- libapr1-apr_fnmatch_c-CVE-2011-0419.patch and + libapr1-apr_fnmatch_c-CVE-2011-1928.patch fix CVE-2011-0419 and + CVE-2011-1928: fnmatch() mem and CPU exhaustion DoS. bnc#693778 + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.3/all/libapr1 Destination is old-versions/11.3/UPDATES/all/libapr1 calling whatdependson for 11.3-i586 New: ---- libapr1-apr_fnmatch_c-CVE-2011-0419.patch libapr1-apr_fnmatch_c-CVE-2011-1928.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libapr1.spec ++++++ --- /var/tmp/diff_new_pack.ayKQSy/_old 2011-07-26 17:08:50.000000000 +0200 +++ /var/tmp/diff_new_pack.ayKQSy/_new 2011-07-26 17:08:50.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libapr1 (Version 1.3.8) +# spec file for package libapr1 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,12 +34,14 @@ %endif # Version: 1.3.8 -Release: 3 +Release: 8.<RELEASE2> Summary: Apache Portable Runtime (APR) Library Source: http://www.apache.org/dist/apr/apr-%{version}.tar.bz2 Source2: baselibs.conf Patch1: string-compare.diff Patch3: apr-1.3.0-testshm-apr_shm_remove.patch +Patch4: libapr1-apr_fnmatch_c-CVE-2011-0419.patch +Patch5: libapr1-apr_fnmatch_c-CVE-2011-1928.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define aprver 1 %define installbuilddir %{_libdir}/apr-%{aprver}/build @@ -90,6 +92,8 @@ %setup -n apr-%{version} %patch1 %patch3 -p1 +%patch4 -p0 +%patch5 -p0 # # workaround for ugly bug 400488 # Xen kernel on sles9 x86_64 is set up to behave different than all other kernels ++++++ libapr1-apr_fnmatch_c-CVE-2011-0419.patch ++++++ ++++ 628 lines (skipped) ++++++ libapr1-apr_fnmatch_c-CVE-2011-1928.patch ++++++ diff -ruN ../apr-1.3.3.orig/strings/apr_fnmatch.c ./strings/apr_fnmatch.c --- ../apr-1.3.3.orig/strings/apr_fnmatch.c 2011-06-24 14:52:09.000000000 +0200 +++ ./strings/apr_fnmatch.c 2011-06-24 14:53:14.000000000 +0200 @@ -195,7 +195,10 @@ const char *mismatch = NULL; int matchlen = 0; - while (*pattern) + if (*pattern == '*') + goto firstsegment; + + while (*pattern && *string) { /* Match balanced slashes, starting a new segment pattern */ @@ -206,6 +209,7 @@ ++string; } +firstsegment: /* At the beginning of each segment, validate leading period behavior. */ if ((flags & APR_FNM_PERIOD) && (*string == '.')) @@ -360,9 +364,9 @@ return APR_FNM_NOMATCH; } - /* pattern is at EOS; if string is also, declare success + /* Where both pattern and string are at EOS, declare success */ - if (!*string) + if (!*string && !*pattern) return 0; /* pattern didn't match to the end of string */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
