From 10d80eb39aed471b6c47400e1b155c94a61d8e61 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Date: Thu, 31 Mar 2022 23:00:46 +0200
Subject: [PATCH] package/apr: fix CVE-2021-35940

An out-of-bounds array read in the apr_time_exp*() functions was fixed
in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix
for this issue was not carried forward to the APR 1.7.x branch, and
hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the
same issue.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
 .../apr/0004-apr-1.7.0-CVE-2021-35940.patch   | 57 +++++++++++++++++++
 package/apr/apr.mk                            |  3 +
 2 files changed, 60 insertions(+)
 create mode 100644 package/apr/0004-apr-1.7.0-CVE-2021-35940.patch

diff --git a/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch b/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch
new file mode 100644
index 0000000000..b065a3330a
--- /dev/null
+++ b/package/apr/0004-apr-1.7.0-CVE-2021-35940.patch
@@ -0,0 +1,57 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+[Retrieved from:
+https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch]
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+
+Index: ./time/unix/time.c
+===================================================================
+--- ./time/unix/time.c	(revision 1891197)
++++ ./time/unix/time.c	(revision 1891198)
+@@ -142,6 +142,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
+Index: ./time/win32/time.c
+===================================================================
+--- ./time/win32/time.c	(revision 1891197)
++++ ./time/win32/time.c	(revision 1891198)
+@@ -54,6 +54,9 @@
+     static const int dayoffset[12] =
+     {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+ 
++    if (tm->wMonth < 1 || tm->wMonth > 12)
++        return APR_EBADDATE;
++
+     /* Note; the caller is responsible for filling in detailed tm_usec,
+      * tm_gmtoff and tm_isdst data when applicable.
+      */
+@@ -228,6 +231,9 @@
+     static const int dayoffset[12] =
+     {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+ 
++    if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++        return APR_EBADDATE;
++
+     /* shift new year to 1st March in order to make leap year calc easy */
+ 
+     if (xt->tm_mon < 2)
diff --git a/package/apr/apr.mk b/package/apr/apr.mk
index 7ff2c007b4..77217ccbb3 100644
--- a/package/apr/apr.mk
+++ b/package/apr/apr.mk
@@ -16,6 +16,9 @@ APR_INSTALL_STAGING = YES
 # so we need to autoreconf:
 APR_AUTORECONF = YES
 
+# 0004-apr-1.7.0-CVE-2021-35940.patch
+APR_IGNORE_CVES += CVE-2021-35940
+
 # avoid apr_hints.m4 by setting apr_preload_done=yes and set
 # the needed CFLAGS on our own (avoids '-D_REENTRANT' in case
 # not supported by toolchain and subsequent configure failure)