Bug 29400 - apr new security issue CVE-2021-35940
Summary: apr new security issue CVE-2021-35940
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-08-23 23:24 CEST by David Walser
Modified: 2021-09-05 02:17 CEST (History)
5 users (show)

See Also:
Source RPM: apr-1.7.0-3.mga8.src.rpm
CVE: CVE-2021-35940
Status comment:


Attachments

Description David Walser 2021-08-23 23:24:09 CEST
This got broken again by the upgrade to 1.7.0, as the fix never made its way into the 1.7 branch.

Apache has issued an advisory for this today:
https://www.openwall.com/lists/oss-security/2021/08/23/1

Mageia 8 is also affected.

+++ This bug was initially created as a clone of Bug #22017 +++

Fedora has issued an advisory on November 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWFCC4MZWCXHD25BGQ26Z5VI7O6YH5WV/

Mageia 5 is also affected.

The issue was fixed upstream in 1.6.3.

The RedHat bug contains a link to the upstream commit that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1506523#c7
David Walser 2021-08-23 23:24:33 CEST

Whiteboard: (none) => MGA8TOO
Version: 6 => Cauldron
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2021-08-24 20:37:02 CEST
This fatherless SRPM has been committed by many different people, so having to assign the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2021-08-30 16:53:16 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
https://www.openwall.com/lists/oss-security/2021/08/23/1
========================

Updated packages in core/updates_testing:
========================
lib(64)apr1_0-1.7.0-3.1.mga8
lib(64)apr-devel-1.7.0-3.1.mga8

from SRPM:
apr-1.7.0-3.1.mga8.src.rpm

CC: (none) => nicolas.salguero
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2021-35940
Status comment: Patch available from upstream => (none)
Status: NEW => ASSIGNED

Nicolas Salguero 2021-08-30 16:53:30 CEST

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2021-08-30 20:11:27 CEST
mga8, x64

This seems to be intended as a universal API for programmers needing to interface with different platforms without having to know too much about the underlying details.  It is purely development stuff.  The top-level apr.h file contains over 600 defines and typedefs.  Not surprising to see that it is required by development packages only.
$ urpmq --whatrequires-recursive lib64apr1_0 | sort -u
apache-devel
apache-mod_perl-devel
lib64apr-devel
lib64apr-util-devel
lib64svncpp-devel
subversion-devel

All we can do is demonstrate a clean install.

lib64apr1_0 already on board.  Installed the devel package and updated.
qarepo and MageiaUpdate - no problems.
$ rpm -qa | grep apr
lib64apr-util1_0-1.6.1-4.mga8
lib64apr1_0-1.7.0-3.1.mga8
lib64apr-devel-1.7.0-3.1.mga8
$ urpmq -i lib64apr-util1_0
........
Summary     : Apache Portable Runtime Utility library
Description :
The mission of the Apache Portable Runtime (APR) is to provide a
free library of C data structures and routines.  This library
contains additional utility interfaces for APR; including support
for XML, LDAP, database interfaces, URI parsing and more.
.........

Support for LDAP, MySQL, Oracle, sqlite3 and others can be enabled.

Giving this the green light.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 David Walser 2021-08-31 19:41:38 CEST
Ubuntu has issued an advisory for this on August 30:
https://ubuntu.com/security/notices/USN-5056-1
Comment 5 David Walser 2021-08-31 19:50:14 CEST
RedHat has issued an advisory on August 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6FWFN6CSD2CNV63HOPH57T3CQKYKELVR/

Do we have these coverity cleanups included?
Comment 6 Nicolas Salguero 2021-09-01 07:44:15 CEST
(In reply to David Walser from comment #5)
> Do we have these coverity cleanups included?

No, we don't.  I only added a patch for CVE-2021-35940.  Do you want I add the patch for those cleanups and push a new release?
Comment 7 David Walser 2021-09-01 14:40:42 CEST
Yes please.
Comment 8 Nicolas Salguero 2021-09-01 15:05:27 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (CVE-2021-35940)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35940
https://www.openwall.com/lists/oss-security/2021/08/23/1
https://ubuntu.com/security/notices/USN-5056-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6FWFN6CSD2CNV63HOPH57T3CQKYKELVR/
========================

Updated packages in core/updates_testing:
========================
lib(64)apr1_0-1.7.0-3.2.mga8
lib(64)apr-devel-1.7.0-3.2.mga8

from SRPM:
apr-1.7.0-3.2.mga8.src.rpm
Nicolas Salguero 2021-09-01 15:18:40 CEST

Whiteboard: MGA8-64-OK => (none)

Comment 9 David Walser 2021-09-01 17:00:27 CEST
Thanks Nicolas.  Len, Apache uses this library, so you can test with that.
Comment 10 Len Lawrence 2021-09-01 22:28:56 CEST
mga8, x64
httpd running fine.
Installed the updates and restarted apache.  localhost says "It works!".
In no position to get the server to use libapr but Firefox functions properly.  Checked a few links, bookmarks, Gmail account, logged in to my router, read Ruby Weekly and watched DUST videos on Youtube.  Ran PhpMyAdmin; opened an earlier test database.

Hoping this is a sufficient test.

Whiteboard: (none) => MGA8-64-OK

Comment 11 Thomas Andrews 2021-09-05 02:17:19 CEST
Validating. Advisory in Comment 8.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.