commit apr for openSUSE:Factory

Source-Sync Sat, 04 Sep 2021 13:32:35 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package apr for openSUSE:Factory checked in 
at 2021-09-04 22:32:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apr (Old)
 and      /work/SRC/openSUSE:Factory/.apr.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "apr"

Sat Sep  4 22:32:08 2021 rev:12 rq:915695 version:1.7.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/apr/apr.changes  2019-08-16 15:28:42.313992977 
+0200
+++ /work/SRC/openSUSE:Factory/.apr.new.1899/apr.changes        2021-09-04 
22:32:24.855917687 +0200
@@ -1,0 +2,8 @@
+Thu Sep  2 07:15:59 UTC 2021 - [email protected]
+
+- security update
+- added patches
+  fix CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to 
information disclosure (udp)
+  + apr-CVE-2021-3594.patch
+
+-------------------------------------------------------------------

New:
----
  apr-CVE-2021-3594.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apr.spec ++++++
--- /var/tmp/diff_new_pack.Qv0DiK/_old  2021-09-04 22:32:25.411918423 +0200
+++ /var/tmp/diff_new_pack.Qv0DiK/_new  2021-09-04 22:32:25.415918428 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package apr
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -34,6 +34,8 @@
 Patch9:         apr-proc-mutex-map-anon.patch
 # prevent random failures of the testsuite (sendfile test)
 Patch10:        apr-test-sendfile-timeout.patch
+# CVE-2021-3594 [bsc#1187367], invalid pointer initialization may lead to 
information disclosure (udp)
+Patch11:        apr-CVE-2021-3594.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  libtool
@@ -86,6 +88,7 @@
 %patch5 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 # Do not put date to doxy content
 sed -i \


++++++ apr-CVE-2021-3594.patch ++++++

--- 1.7.x/time/unix/time.c      2021/07/02 11:07:15     1891197
+++ 1.7.x/time/unix/time.c      2021/07/02 11:10:33     1891198
@@ -142,6 +142,9 @@
     static const int dayoffset[12] =
     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
 
+    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
+        return APR_EBADDATE;
+
     /* shift new year to 1st March in order to make leap year calc easy */
 
     if (xt->tm_mon < 2)

commit apr for openSUSE:Factory

Reply via email to