From b570feeb64fca543c94821fb86331569b233a1e5 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Mon, 16 Dec 2024 13:22:08 +0100 Subject: [PATCH] package/apr: add upstream security fix for CVE-2023-49582 Fixes CVE-2023-49582: Lax permissions set by the Apache Portable Runtime library on Unix platforms would allow local users read access to named shared memory segments, potentially revealing sensitive application data. This issue does not affect non-Unix platforms, or builds with APR_USE_SHMEM_SHMGET=1 (apr.h) Users are recommended to upgrade to APR version 1.7.5, which fixes this issue. Signed-off-by: Peter Korsgaard Signed-off-by: Julien Olivain (cherry picked from commit a60c38b381bbb46094f57fe1c252df962fab6673) Signed-off-by: Peter Korsgaard --- .../apr/0004-Merge-r1920082-from-1.8.x.patch | 71 +++++++++++++++++++ package/apr/apr.mk | 3 + 2 files changed, 74 insertions(+) create mode 100644 package/apr/0004-Merge-r1920082-from-1.8.x.patch diff --git a/package/apr/0004-Merge-r1920082-from-1.8.x.patch b/package/apr/0004-Merge-r1920082-from-1.8.x.patch new file mode 100644 index 0000000000..5d198def34 --- /dev/null +++ b/package/apr/0004-Merge-r1920082-from-1.8.x.patch @@ -0,0 +1,71 @@ +From 36ea6d5a2bfc480dd8032cc8651e6793552bc2aa Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 20 Aug 2024 21:50:42 +0000 +Subject: [PATCH] Merge r1920082 from 1.8.x: + +use 0600 perms for named shared mem consistently + + + + +git-svn-id: https://svn.apache.org/repos/asf/apr/apr/branches/1.7.x@1920083 13f79535-47bb-0310-9956-ffa450edef68 +Upstream: https://github.com/apache/apr/commit/36ea6d5a2bfc480dd8032cc8651e6793552bc2aa +Signed-off-by: Peter Korsgaard +--- + shmem/unix/shm.c | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +diff --git a/shmem/unix/shm.c b/shmem/unix/shm.c +index 096884d99..ea9b94277 100644 +--- a/shmem/unix/shm.c ++++ b/shmem/unix/shm.c +@@ -287,10 +287,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + status = APR_SUCCESS; + + #if APR_USE_SHMEM_MMAP_TMP +- /* FIXME: Is APR_OS_DEFAULT sufficient? */ +- status = apr_file_open(&file, filename, +- APR_READ | APR_WRITE | APR_CREATE | APR_EXCL, +- APR_OS_DEFAULT, pool); ++ status = apr_file_open(&file, filename, ++ APR_FOPEN_READ | APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL, ++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool); + if (status != APR_SUCCESS) { + return status; + } +@@ -319,8 +318,7 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + } + #endif /* APR_USE_SHMEM_MMAP_TMP */ + #if APR_USE_SHMEM_MMAP_SHM +- /* FIXME: SysV uses 0600... should we? */ +- tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0644); ++ tmpfd = shm_open(shm_name, O_RDWR | O_CREAT | O_EXCL, 0600); + if (tmpfd == -1) { + return errno; + } +@@ -361,10 +359,9 @@ APR_DECLARE(apr_status_t) apr_shm_create(apr_shm_t **m, + #elif APR_USE_SHMEM_SHMGET + new_m->realsize = reqsize; + +- /* FIXME: APR_OS_DEFAULT is too permissive, switch to 600 I think. */ +- status = apr_file_open(&file, filename, ++ status = apr_file_open(&file, filename, + APR_FOPEN_WRITE | APR_FOPEN_CREATE | APR_FOPEN_EXCL, +- APR_OS_DEFAULT, pool); ++ APR_FPROT_UREAD | APR_FPROT_UWRITE, pool); + if (status != APR_SUCCESS) { + return status; + } +@@ -555,8 +552,7 @@ APR_DECLARE(apr_status_t) apr_shm_attach(apr_shm_t **m, + #if APR_USE_SHMEM_MMAP_SHM + const char *shm_name = make_shm_open_safe_name(filename, pool); + +- /* FIXME: SysV uses 0600... should we? */ +- tmpfd = shm_open(shm_name, O_RDWR, 0644); ++ tmpfd = shm_open(shm_name, O_RDWR, 0600); + if (tmpfd == -1) { + return errno; + } +-- +2.39.5 + diff --git a/package/apr/apr.mk b/package/apr/apr.mk index d86431e5d3..29aedbf1e8 100644 --- a/package/apr/apr.mk +++ b/package/apr/apr.mk @@ -16,6 +16,9 @@ APR_INSTALL_STAGING = YES # so we need to autoreconf: APR_AUTORECONF = YES +# 0004-Merge-r1920082-from-1.8.x.patch +APR_IGNORE_CVES += CVE-2023-49582 + APR_CONF_OPTS = --disable-sctp # avoid apr_hints.m4 by setting apr_preload_done=yes and set