Version in base suite: 1.6.1-5 Base version: apr-util_1.6.1-5 Target version: apr-util_1.6.1-5+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/a/apr-util/apr-util_1.6.1-5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/a/apr-util/apr-util_1.6.1-5+deb11u1.dsc changelog | 8 patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch | 174 ++++++++++ patches/series | 1 3 files changed, 183 insertions(+) diff -Nru apr-util-1.6.1/debian/changelog apr-util-1.6.1/debian/changelog --- apr-util-1.6.1/debian/changelog 2020-08-29 09:51:07.000000000 +0000 +++ apr-util-1.6.1/debian/changelog 2023-02-18 13:12:08.000000000 +0000 @@ -1,3 +1,11 @@ +apr-util (1.6.1-5+deb11u1) bullseye-security; urgency=high + + * Non-maintainer upload by the Security Team. + * apr_base64: Make sure encoding/decoding lengths fit in an int >= 0 + (CVE-2022-25147) + + -- Salvatore Bonaccorso Sat, 18 Feb 2023 14:12:08 +0100 + apr-util (1.6.1-5) unstable; urgency=medium [ Jelmer Vernooij ] diff -Nru apr-util-1.6.1/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch apr-util-1.6.1/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch --- apr-util-1.6.1/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ apr-util-1.6.1/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch 2023-02-18 13:10:11.000000000 +0000 @@ -0,0 +1,174 @@ +From: Yann Ylavic +Date: Thu, 20 Oct 2022 09:38:34 +0000 +Subject: apr_base64: Make sure encoding/decoding lengths fit in an int >= 0. +Origin: https://github.com/apache/apr-util/commit/3f5257075c7eb601aed6333e9bb5d9eb0e11254b +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-25147 + +The (old) API of apr_base64 functions has always used int for representing +lengths and it does not return errors. Make sure to abort() if the provided +data don't fit. + +* encoding/apr_base64.c(): + #define APR_BASE64_ENCODE_MAX and APR_BASE64_DECODE_MAX as the hard length + limits for encoding and decoding respectively. + +* encoding/apr_base64.c(apr_base64_encode_len, apr_base64_encode, + apr_base64_encode_binary, apr_pbase64_encode): + abort() if the given length is above APR_BASE64_ENCODE_MAX. + +* encoding/apr_base64.c(apr_base64_decode_len, apr_base64_decode, + apr_base64_decode_binary, apr_pbase64_decode): + abort() if the given plain buffer length is above APR_BASE64_DECODE_MAX. + + +apr_base64: Follow up to r1902206: Cap to APR_BASE64_ENCODE_MAX in apr_pbase64_encode(). + + +Merges r1902206[, r1904666] from trunk. +Merges r1904727 from 1.7.x. + + +git-svn-id: https://svn.apache.org/repos/asf/apr/apr-util/branches/1.6.x@1904728 13f79535-47bb-0310-9956-ffa450edef68 +--- + encoding/apr_base64.c | 41 +++++++++++++++++++++++++---------------- + 1 file changed, 25 insertions(+), 16 deletions(-) + +diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c +index e9b75e3ddf88..ac9f281666e3 100644 +--- a/encoding/apr_base64.c ++++ b/encoding/apr_base64.c +@@ -20,11 +20,20 @@ + * ugly 'len' functions, which is quite a nasty cost. + */ + ++#undef NDEBUG /* always abort() on assert()ion failure */ ++#include ++ + #include "apr_base64.h" + #if APR_CHARSET_EBCDIC + #include "apr_xlate.h" + #endif /* APR_CHARSET_EBCDIC */ + ++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */ ++#define APR_BASE64_ENCODE_MAX 1610612733 ++ ++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */ ++#define APR_BASE64_DECODE_MAX 2863311524u ++ + /* aaaack but it's fast and const should make it shared text page. */ + static const unsigned char pr2six[256] = + { +@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii, + + APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded) + { +- int nbytesdecoded; + register const unsigned char *bufin; + register apr_size_t nprbytes; + + bufin = (const unsigned char *) bufcoded; + while (pr2six[*(bufin++)] <= 63); +- + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); + +- return nbytesdecoded + 1; ++ return (int)(((nprbytes + 3u) / 4u) * 3u + 1u); + } + + APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded) + { + #if APR_CHARSET_EBCDIC + apr_size_t inbytes_left, outbytes_left; +-#endif /* APR_CHARSET_EBCDIC */ ++#endif /* APR_CHARSET_EBCDIC */ + int len; + + len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded); +@@ -143,7 +150,7 @@ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded) + * the conversion of the output to ebcdic is left out. + */ + APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, +- const char *bufcoded) ++ const char *bufcoded) + { + int nbytesdecoded; + register const unsigned char *bufin; +@@ -153,12 +160,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + bufin = (const unsigned char *) bufcoded; + while (pr2six[*(bufin++)] <= 63); + nprbytes = (bufin - (const unsigned char *) bufcoded) - 1; +- nbytesdecoded = (((int)nprbytes + 3) / 4) * 3; ++ assert(nprbytes <= APR_BASE64_DECODE_MAX); ++ nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u); + + bufout = (unsigned char *) bufplain; + bufin = (const unsigned char *) bufcoded; + +- while (nprbytes > 4) { ++ while (nprbytes >= 4) { + *(bufout++) = + (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4); + *(bufout++) = +@@ -178,13 +186,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain, + *(bufout++) = + (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2); + } +- if (nprbytes > 3) { +- *(bufout++) = +- (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]); +- } + +- nbytesdecoded -= (4 - (int)nprbytes) & 3; +- return nbytesdecoded; ++ return nbytesdecoded - (int)((4u - nprbytes) & 3u); + } + + static const char basis_64[] = +@@ -192,6 +195,8 @@ static const char basis_64[] = + + APU_DECLARE(int) apr_base64_encode_len(int len) + { ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + return ((len + 2) / 3 * 4) + 1; + } + +@@ -203,6 +208,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F]; +@@ -227,7 +234,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len) + } + + *p++ = '\0'; +- return p - encoded; ++ return (unsigned int)(p - encoded); + #endif /* APR_CHARSET_EBCDIC */ + } + +@@ -240,6 +247,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + int i; + char *p; + ++ assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX); ++ + p = encoded; + for (i = 0; i < len - 2; i += 3) { + *p++ = basis_64[(string[i] >> 2) & 0x3F]; +@@ -264,5 +273,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded, + } + + *p++ = '\0'; +- return (int)(p - encoded); ++ return (unsigned int)(p - encoded); + } +-- +2.30.2 + diff -Nru apr-util-1.6.1/debian/patches/series apr-util-1.6.1/debian/patches/series --- apr-util-1.6.1/debian/patches/series 2018-02-25 11:28:50.000000000 +0000 +++ apr-util-1.6.1/debian/patches/series 2023-02-18 13:10:17.000000000 +0000 @@ -11,3 +11,4 @@ support_mariadb.patch doxygen_no_ful_path_names.patch fix_gdbm_error_handling +apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch