Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/dev-libs
diff options
context:
space:
mode:
authorHans de Graaff <graaff@gentoo.org>2022-08-20 10:22:07 +0200
committerHans de Graaff <graaff@gentoo.org>2022-08-20 10:23:11 +0200
commitf00c644c3393ceb36ae94a52cad5f56ae4d6f60c (patch)
tree2fcf6d2c258074067b8573a5fe3da10728ab75f7 /dev-libs
parentwww-client/chromium: filter out -mno-sse4a (diff)
downloadgentoo-f00c644c3393ceb36ae94a52cad5f56ae4d6f60c.tar.gz
gentoo-f00c644c3393ceb36ae94a52cad5f56ae4d6f60c.tar.bz2
gentoo-f00c644c3393ceb36ae94a52cad5f56ae4d6f60c.zip
dev-libs/apr: apply fix for CVE-2021-35940
Bug: https://bugs.gentoo.org/828545 Signed-off-by: Hans de Graaff <graaff@gentoo.org>
Diffstat (limited to 'dev-libs')
-rw-r--r--dev-libs/apr/apr-1.7.0-r5.ebuild162
-rw-r--r--dev-libs/apr/files/apr-1.7.0-CVE-2021-35940.patch53
2 files changed, 215 insertions, 0 deletions
diff --git a/dev-libs/apr/apr-1.7.0-r5.ebuild b/dev-libs/apr/apr-1.7.0-r5.ebuild
new file mode 100644
index 000000000000..b3db9ef05212
--- /dev/null
+++ b/dev-libs/apr/apr-1.7.0-r5.ebuild
@@ -0,0 +1,162 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools libtool toolchain-funcs
+
+DESCRIPTION="Apache Portable Runtime Library"
+HOMEPAGE="https://apr.apache.org/"
+SRC_URI="mirror://apache/apr/${P}.tar.bz2"
+
+LICENSE="Apache-2.0"
+SLOT="1/${PV%.*}"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="doc older-kernels-compatibility selinux static-libs +urandom"
+
+# See bug #815265 for libcrypt dependency
+CDEPEND="virtual/libcrypt:=
+ elibc_glibc? ( >=sys-apps/util-linux-2.16 )"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-base-policy )"
+DEPEND="${CDEPEND}
+ >=sys-devel/libtool-2.4.2
+ doc? ( app-doc/doxygen )"
+
+DOCS=( CHANGES NOTICE README )
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.5.0-mint.patch
+ "${FILESDIR}"/${PN}-1.5.0-libtool.patch
+ "${FILESDIR}"/${PN}-1.5.0-cross-types.patch
+ "${FILESDIR}"/${PN}-1.5.0-sysroot.patch #385775
+ "${FILESDIR}"/${PN}-1.6.3-skip-known-failing-tests.patch
+ "${FILESDIR}"/${PN}-1.7.0-autoconf-2.70.patch #750353
+ "${FILESDIR}"/${PN}-1.7.0-CVE-2021-35940.patch #828545
+)
+
+src_prepare() {
+ default
+
+ mv configure.in configure.ac || die
+ AT_M4DIR="build" eautoreconf
+ elibtoolize
+
+ eapply "${FILESDIR}/config.layout.patch"
+}
+
+src_configure() {
+ local myconf=(
+ --enable-layout=gentoo
+ --enable-nonportable-atomics
+ --enable-posix-shm
+ --enable-threads
+ $(use_enable static-libs static)
+ --with-installbuilddir="${EPREFIX}"/usr/share/${PN}/build
+ )
+
+ if use older-kernels-compatibility; then
+ local apr_cv_accept4 apr_cv_dup3 apr_cv_epoll_create1 apr_cv_sock_cloexec
+ export apr_cv_accept4="no"
+ export apr_cv_dup3="no"
+ export apr_cv_epoll_create1="no"
+ export apr_cv_sock_cloexec="no"
+ fi
+ if tc-is-cross-compiler; then
+ # The apache project relies heavily on AC_TRY_RUN and doesn't
+ # have any sane cross-compiling fallback logic.
+ export \
+ ac_cv_file__dev_zero="yes" \
+ ac_cv_func_sem_open="yes" \
+ ac_cv_negative_eai="yes" \
+ ac_cv_o_nonblock_inherited="no" \
+ ac_cv_struct_rlimit="yes" \
+ ap_cv_atomic_builtins="yes" \
+ apr_cv_accept4="yes" \
+ apr_cv_dup3="yes" \
+ apr_cv_epoll="yes" \
+ apr_cv_epoll_create1="yes" \
+ apr_cv_gai_addrconfig="yes" \
+ apr_cv_mutex_recursive="yes" \
+ apr_cv_mutex_robust_shared="yes" \
+ apr_cv_process_shared_works="yes" \
+ apr_cv_pthreads_lib="-pthread" \
+ apr_cv_sock_cloexec="yes" \
+ apr_cv_tcp_nodelay_with_cork="yes"
+ fi
+
+ if use urandom; then
+ myconf+=( --with-devrandom=/dev/urandom )
+ elif (( ${CHOST#*-hpux11.} <= 11 )); then
+ : # no /dev/*random on hpux11.11 and before, ${PN} detects this.
+ else
+ myconf+=( --with-devrandom=/dev/random )
+ fi
+
+ tc-is-static-only && myconf+=( --disable-dso )
+
+ # shl_load does not search runpath, but hpux11 supports dlopen
+ [[ ${CHOST} == *-hpux11* ]] && myconf+=( --enable-dso=dlfcn )
+
+ if [[ ${CHOST} == *-solaris2.10 ]]; then
+ case $(<$([[ ${CHOST} != ${CBUILD} ]] && echo "${EPREFIX}/usr/${CHOST}")/usr/include/atomic.h) in
+ *atomic_cas_ptr*) ;;
+ *)
+ elog "You do not have Solaris Patch ID "$(
+ [[ ${CHOST} == sparc* ]] && echo 118884 || echo 118885
+ )" (Problem 4954703) installed on your host ($(hostname)),"
+ elog "using generic atomic operations instead."
+ myconf+=( --disable-nonportable-atomics )
+ ;;
+ esac
+ else
+ if use ppc || use sparc || use mips; then
+ # Avoid libapr containing undefined references (underlinked)
+ # undefined reference to `__sync_val_compare_and_swap_8'
+ # (May be possible to fix via libatomic linkage in future?)
+ # bug #740464
+ myconf+=( --disable-nonportable-atomics )
+ fi
+ fi
+
+ econf "${myconf[@]}"
+}
+
+src_compile() {
+ if tc-is-cross-compiler; then
+ # This header is the same across targets, so use the build compiler.
+ emake tools/gen_test_char
+ tc-export_build_env BUILD_CC
+ ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
+ tools/gen_test_char.c -o tools/gen_test_char || die
+ fi
+
+ emake
+
+ if use doc; then
+ emake dox
+ fi
+}
+
+src_test() {
+ # Building tests in parallel is broken
+ emake -j1 check
+}
+
+src_install() {
+ default
+
+ if ! use static-libs; then
+ find "${ED}" -name '*.la' -delete || die
+ fi
+
+ if use doc; then
+ docinto html
+ dodoc -r docs/dox/html/*
+ fi
+
+ # This file is only used on AIX systems, which Gentoo is not,
+ # and causes collisions between the SLOTs, so remove it.
+ # Even in Prefix, we don't need this on AIX.
+ rm "${ED}/usr/$(get_libdir)/apr.exp" || die
+}
diff --git a/dev-libs/apr/files/apr-1.7.0-CVE-2021-35940.patch b/dev-libs/apr/files/apr-1.7.0-CVE-2021-35940.patch
new file mode 100644
index 000000000000..f23d729f523e
--- /dev/null
+++ b/dev-libs/apr/files/apr-1.7.0-CVE-2021-35940.patch
@@ -0,0 +1,53 @@
+
+SECURITY: CVE-2021-35940 (cve.mitre.org)
+
+Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+was addressed in 1.6.x in 1.6.3 and later via r1807976.
+
+The fix was merged back to 1.7.x in r1891198.
+
+Since this was a regression in 1.7.0, a new CVE name has been assigned
+to track this, CVE-2021-35940.
+
+Thanks to Iveta Cesalova <icesalov redhat.com> for reporting this issue.
+
+https://svn.apache.org/viewvc?view=revision&revision=1891198
+
+Index: time/unix/time.c
+===================================================================
+--- a/time/unix/time.c (revision 1891197)
++++ b/time/unix/time.c (revision 1891198)
+@@ -142,6 +142,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
+Index: time/win32/time.c
+===================================================================
+--- a/time/win32/time.c (revision 1891197)
++++ b/time/win32/time.c (revision 1891198)
+@@ -54,6 +54,9 @@
+ static const int dayoffset[12] =
+ {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+
++ if (tm->wMonth < 1 || tm->wMonth > 12)
++ return APR_EBADDATE;
++
+ /* Note; the caller is responsible for filling in detailed tm_usec,
+ * tm_gmtoff and tm_isdst data when applicable.
+ */
+@@ -228,6 +231,9 @@
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++ if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++ return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)