!14 Fix CVE-2022-25147

From: @fly_fzc 
Reviewed-by: @lvying6 
Signed-off-by: @lvying6

apr-util-1.2.7-pkgconf.patch

@@ -1,25 +0,0 @@
---- apr-util-1.2.7/Makefile.in.pkgconf
-+++ apr-util-1.2.7/Makefile.in
-@@ -51,7 +51,7 @@
- 
- # Create apu-config script suitable for the install tree
- apu-config.out: $(APU_CONFIG)
--	sed 's,^\(location=\).*$$,\1installed,' < $(APU_CONFIG) > $@
-+	sed 's,^\(location=\).*$$,\1installed,;s,^\(APR_.*_DIR\)=.*,\1="$${libdir}/build",' < $(APU_CONFIG) > $@
- 
- install: $(TARGETS) install-modules
- 	$(APR_MKDIR) $(DESTDIR)$(includedir) $(DESTDIR)$(libdir)/pkgconfig \
---- apr-util-1.2.7/apu-config.in.pkgconf
-+++ apr-util-1.2.7/apu-config.in
-@@ -24,9 +24,10 @@
- prefix="@prefix@"
- exec_prefix="@exec_prefix@"
- bindir="@bindir@"
--libdir="@libdir@"
- includedir="@includedir@"
- 
-+libdir=`pkg-config --variable=libdir apr-util-@APRUTIL_MAJOR_VERSION@`
-+
- LIBS="@APRUTIL_EXPORT_LIBS@"
- INCLUDES="@APRUTIL_INCLUDES@"
- LDFLAGS="@APRUTIL_LDFLAGS@"

apr-util-1.4.1-private.patch

@@ -1,10 +0,0 @@
---- apr-util-1.4.1/apr-util.pc.in~	2008-05-23 16:27:37.000000000 -0500
-+++ apr-util-1.4.1/apr-util.pc.in	2013-02-07 08:55:09.717312176 -0600
-@@ -9,5 +9,6 @@
- Version: @APRUTIL_DOTTED_VERSION@
- # assume that apr-util requires libapr of same major version
- Requires: apr-@APRUTIL_MAJOR_VERSION@
--Libs: -L${libdir} -l@APRUTIL_LIBNAME@ @LDADD_ldap@ @APRUTIL_EXPORT_LIBS@
-+Libs: -L${libdir} -l@APRUTIL_LIBNAME@ @LDADD_ldap@ 
-+Libs.private: @APRUTIL_EXPORT_LIBS@
- Cflags: -I${includedir}

apr-util.spec

@@ -2,22 +2,20 @@
 
 Name: apr-util
 Version: 1.6.1
-Release: 10
+Release: 15
 Summary: apr-util provides a number of helpful abstractions on top of APR.
 License: ASL 2.0
 URL: http://apr.apache.org
 Source0: http://www.apache.org/dist/apr/%{name}-%{version}.tar.bz2
 
-Patch0: apr-util-1.2.7-pkgconf.patch
-Patch1: apr-util-1.4.1-private.patch
-
 Patch6000: Updated-patch-to-compile-apr-util-against-mariadb-10.patch
 Patch6001: Merge-r1822315-from-trunk.patch
 Patch6002: Fix-error-handling-in-gdbm.patch
 Patch6003: Merge-r1834022-r1834023-r1834024-from-trunk.patch
 Patch6004: Remove-dereference-of-null-pointer.patch
+Patch6005: backport-CVE-2022-25147-apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch
 
-BuildRequires: gcc autoconf apr-devel >= 1.6.0 libdb-devel expat-devel libuuid-devel
+BuildRequires: gcc autoconf apr-devel >= 1.6.0 gdbm-devel expat-devel libuuid-devel
 BuildRequires: mariadb-connector-c-devel sqlite-devel >= 3.1.0 openldap-devel openssl-devel
 
 Requires: apr-util%{?_isa} = %{version}-%{release}
@@ -43,7 +41,7 @@ work around or take advantage of platform-specific deficiencies or features.
 %package devel
 Summary: The development kit of apr-util.
 Requires: expat-devel%{?_isa} apr-util%{?_isa} = %{version}-%{release}
-Requires: libdb-devel%{?_isa} openldap-devel%{?_isa} apr-devel%{?_isa} pkgconfig
+Requires: gdbm-devel%{?_isa} openldap-devel%{?_isa} apr-devel%{?_isa} pkgconfig
 
 %description devel
 The development kit of apr-util.
@@ -71,8 +69,8 @@ The ODBC DBD driver of apr-util.
 autoheader && autoconf
 export ac_cv_ldap_set_rebind_proc_style=three
 %configure --with-apr=%{_prefix} --includedir=%{_includedir}/apr-%{apuver} \
-        --with-ldap=ldap_r --without-gdbm --with-sqlite3 --with-pgsql --with-mysql --with-odbc \
-        --with-dbm=db5 --with-berkeley-db --without-sqlite2 --with-crypto --with-openssl
+        --with-ldap=ldap_r --with-gdbm --with-sqlite3 --with-pgsql --with-mysql --with-odbc \
+        --with-dbm=gdbm --without-berkeley-db --without-sqlite2 --with-crypto --with-openssl
 %make_build
 
 %install
@@ -105,7 +103,7 @@ make test
 %license LICENSE
 %{_libdir}/libaprutil-%{apuver}.so.*
 %dir %{_libdir}/%{name}-%{apuver}
-%{_libdir}/%{name}-%{apuver}/apr_dbm_db*
+%{_libdir}/%{name}-%{apuver}/apr_dbm_gdbm*
 %{_libdir}/%{name}-%{apuver}/apr_dbd_mysql*
 %{_libdir}/%{name}-%{apuver}/apr_dbd_sqlite*
 %{_libdir}/%{name}-%{apuver}/apr_ldap*
@@ -126,6 +124,21 @@ make test
 %{_libdir}/%{name}-%{apuver}/apr_dbd_odbc*
 
 %changelog
+* Tue Feb 14 2023 fuanan <fuanan3@h-partners.com> - 1.6.1-15
+- Fix CVE-2022-25147
+
+* Thu Jan 14 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 1.6.1-14
+- add requires gdbm-devel
+
+* Fri Jan 8 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 1.6.1-13
+- BuildRequires: replace libdb with gdbm
+
+* Mon May 18 2020 wangchen <wangchen137@huawei.com> - 1.6.1-12
+- rebuild for apr-util.
+
+* Mon Jan 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.6.1-11
+- Delete useless files.
+
 * Tue Oct 22 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.6.1-10
 - optimize spec file.
 

backport-CVE-2022-25147-apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch

@@ -0,0 +1,159 @@
+From 850cc4f69639ac9f1c1c9767efaf4883ee3217ce Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Thu, 23 Jun 2022 15:12:47 +0000
+Subject: [PATCH] apr_base64: Make sure encoding/decoding lengths fit in an int
+ >= 0.
+
+The (old) API of apr_base64 functions has always used int for representing
+lengths and it does not return errors. Make sure to abort() if the provided
+data don't fit.
+
+* encoding/apr_base64.c():
+  #define APR_BASE64_ENCODE_MAX and APR_BASE64_DECODE_MAX as the hard length
+  limits for encoding and decoding respectively.
+
+* encoding/apr_base64.c(apr_base64_encode_len, apr_base64_encode,
+                        apr_base64_encode_binary, apr_pbase64_encode):
+  abort() if the given length is above APR_BASE64_ENCODE_MAX.
+
+* encoding/apr_base64.c(apr_base64_decode_len, apr_base64_decode,
+                        apr_base64_decode_binary, apr_pbase64_decode):
+  abort() if the given plain buffer length is above APR_BASE64_DECODE_MAX.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr/trunk@1902206 13f79535-47bb-0310-9956-ffa450edef68
+---
+ encoding/apr_base64.c | 46 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
+index b4b28cf75..f5c2786ad 100644
+--- a/encoding/apr_base64.c
++++ b/encoding/apr_base64.c
+@@ -20,11 +20,20 @@
+  * ugly 'len' functions, which is quite a nasty cost.
+  */
+ 
++#undef NDEBUG /* always abort() on assert()ion failure */
++#include <assert.h>
++
+ #include "apr_base64.h"
+ #if APR_CHARSET_EBCDIC
+ #include "apr_xlate.h"
+ #endif				/* APR_CHARSET_EBCDIC */
+ 
++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
++#define APR_BASE64_ENCODE_MAX 1610612733
++
++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
++#define APR_BASE64_DECODE_MAX 2863311524u
++
+ /* aaaack but it's fast and const should make it shared text page. */
+ static const unsigned char pr2six[256] =
+ {
+@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
+ 
+ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+ {
+-    int nbytesdecoded;
+     register const unsigned char *bufin;
+     register apr_size_t nprbytes;
+ 
+     bufin = (const unsigned char *) bufcoded;
+     while (pr2six[*(bufin++)] <= 63);
+-
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++    assert(nprbytes <= APR_BASE64_DECODE_MAX);
+ 
+-    return nbytesdecoded + 1;
++    return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
+ }
+ 
+ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
+ {
+ #if APR_CHARSET_EBCDIC
+     apr_size_t inbytes_left, outbytes_left;
+-#endif				/* APR_CHARSET_EBCDIC */
++#endif /* APR_CHARSET_EBCDIC */
+     int len;
+     
+     len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
+@@ -154,12 +161,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+     bufin = (const unsigned char *) bufcoded;
+     while (pr2six[*(bufin++)] <= 63);
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++    assert(nprbytes <= APR_BASE64_DECODE_MAX);
++    nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
+ 
+     bufout = (unsigned char *) bufplain;
+     bufin = (const unsigned char *) bufcoded;
+ 
+-    while (nprbytes > 4) {
++    while (nprbytes >= 4) {
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
+ 	*(bufout++) =
+@@ -179,13 +187,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
+     }
+-    if (nprbytes > 3) {
+-	*(bufout++) =
+-	    (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
+-    }
+ 
+-    nbytesdecoded -= (4 - (int)nprbytes) & 3;
+-    return nbytesdecoded;
++    return nbytesdecoded - (int)((4u - nprbytes) & 3u);
+ }
+ 
+ static const char basis_64[] =
+@@ -203,6 +206,8 @@ static const char basis_64[] =
+ 
+ APU_DECLARE(int) apr_base64_encode_len(int len)
+ {
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     return ((len + 2) / 3 * 4) + 1;
+ }
+ 
+@@ -214,6 +219,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     int i;
+     char *p;
+ 
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
+@@ -238,7 +245,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     }
+ 
+     *p++ = '\0';
+-    return p - encoded;
++    return (unsigned int)(p - encoded);
+ #endif				/* APR_CHARSET_EBCDIC */
+ }
+ 
+@@ -251,6 +258,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     int i;
+     char *p;
+ 
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(string[i] >> 2) & 0x3F];
+@@ -275,5 +284,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     }
+ 
+     *p++ = '\0';
+-    return (int)(p - encoded);
++    return (unsigned int)(p - encoded);
+ }
+-- 
+2.27.0
+