Merging debian version 1.6.1-5+deb11u1.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 183 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 1f34efc..6e17d47 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apr-util (1.6.1-5+deb11u1) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * apr_base64: Make sure encoding/decoding lengths fit in an int >= 0
+    (CVE-2022-25147)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 18 Feb 2023 14:12:08 +0100
+
 apr-util (1.6.1-5~progress5+u1) engywuck-backports; urgency=medium
 
   * Initial upload to engywuck-backports.
diff --git a/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch b/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch
new file mode 100644
index 0000000..7e701e0
--- /dev/null
+++ b/debian/patches/apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch
@@ -0,0 +1,174 @@
+From: Yann Ylavic <ylavic@apache.org>
+Date: Thu, 20 Oct 2022 09:38:34 +0000
+Subject: apr_base64: Make sure encoding/decoding lengths fit in an int >= 0.
+Origin: https://github.com/apache/apr-util/commit/3f5257075c7eb601aed6333e9bb5d9eb0e11254b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-25147
+
+The (old) API of apr_base64 functions has always used int for representing
+lengths and it does not return errors. Make sure to abort() if the provided
+data don't fit.
+
+* encoding/apr_base64.c():
+  #define APR_BASE64_ENCODE_MAX and APR_BASE64_DECODE_MAX as the hard length
+  limits for encoding and decoding respectively.
+
+* encoding/apr_base64.c(apr_base64_encode_len, apr_base64_encode,
+                        apr_base64_encode_binary, apr_pbase64_encode):
+  abort() if the given length is above APR_BASE64_ENCODE_MAX.
+
+* encoding/apr_base64.c(apr_base64_decode_len, apr_base64_decode,
+                        apr_base64_decode_binary, apr_pbase64_decode):
+  abort() if the given plain buffer length is above APR_BASE64_DECODE_MAX.
+
+
+apr_base64: Follow up to r1902206: Cap to APR_BASE64_ENCODE_MAX in apr_pbase64_encode().
+
+
+Merges r1902206[, r1904666] from trunk.
+Merges r1904727 from 1.7.x.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/apr/apr-util/branches/1.6.x@1904728 13f79535-47bb-0310-9956-ffa450edef68
+---
+ encoding/apr_base64.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/encoding/apr_base64.c b/encoding/apr_base64.c
+index e9b75e3ddf88..ac9f281666e3 100644
+--- a/encoding/apr_base64.c
++++ b/encoding/apr_base64.c
+@@ -20,11 +20,20 @@
+  * ugly 'len' functions, which is quite a nasty cost.
+  */
+ 
++#undef NDEBUG /* always abort() on assert()ion failure */
++#include <assert.h>
++
+ #include "apr_base64.h"
+ #if APR_CHARSET_EBCDIC
+ #include "apr_xlate.h"
+ #endif				/* APR_CHARSET_EBCDIC */
+ 
++/* Above APR_BASE64_ENCODE_MAX length the encoding can't fit in an int >= 0 */
++#define APR_BASE64_ENCODE_MAX 1610612733
++
++/* Above APR_BASE64_DECODE_MAX length the decoding can't fit in an int >= 0 */
++#define APR_BASE64_DECODE_MAX 2863311524u
++
+ /* aaaack but it's fast and const should make it shared text page. */
+ static const unsigned char pr2six[256] =
+ {
+@@ -109,24 +118,22 @@ APU_DECLARE(apr_status_t) apr_base64init_ebcdic(apr_xlate_t *to_ascii,
+ 
+ APU_DECLARE(int) apr_base64_decode_len(const char *bufcoded)
+ {
+-    int nbytesdecoded;
+     register const unsigned char *bufin;
+     register apr_size_t nprbytes;
+ 
+     bufin = (const unsigned char *) bufcoded;
+     while (pr2six[*(bufin++)] <= 63);
+-
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++    assert(nprbytes <= APR_BASE64_DECODE_MAX);
+ 
+-    return nbytesdecoded + 1;
++    return (int)(((nprbytes + 3u) / 4u) * 3u + 1u);
+ }
+ 
+ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
+ {
+ #if APR_CHARSET_EBCDIC
+     apr_size_t inbytes_left, outbytes_left;
+-#endif				/* APR_CHARSET_EBCDIC */
++#endif /* APR_CHARSET_EBCDIC */
+     int len;
+     
+     len = apr_base64_decode_binary((unsigned char *) bufplain, bufcoded);
+@@ -143,7 +150,7 @@ APU_DECLARE(int) apr_base64_decode(char *bufplain, const char *bufcoded)
+  * the conversion of the output to ebcdic is left out.
+  */
+ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+-				   const char *bufcoded)
++                                          const char *bufcoded)
+ {
+     int nbytesdecoded;
+     register const unsigned char *bufin;
+@@ -153,12 +160,13 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+     bufin = (const unsigned char *) bufcoded;
+     while (pr2six[*(bufin++)] <= 63);
+     nprbytes = (bufin - (const unsigned char *) bufcoded) - 1;
+-    nbytesdecoded = (((int)nprbytes + 3) / 4) * 3;
++    assert(nprbytes <= APR_BASE64_DECODE_MAX);
++    nbytesdecoded = (int)(((nprbytes + 3u) / 4u) * 3u);
+ 
+     bufout = (unsigned char *) bufplain;
+     bufin = (const unsigned char *) bufcoded;
+ 
+-    while (nprbytes > 4) {
++    while (nprbytes >= 4) {
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[*bufin] << 2 | pr2six[bufin[1]] >> 4);
+ 	*(bufout++) =
+@@ -178,13 +186,8 @@ APU_DECLARE(int) apr_base64_decode_binary(unsigned char *bufplain,
+ 	*(bufout++) =
+ 	    (unsigned char) (pr2six[bufin[1]] << 4 | pr2six[bufin[2]] >> 2);
+     }
+-    if (nprbytes > 3) {
+-	*(bufout++) =
+-	    (unsigned char) (pr2six[bufin[2]] << 6 | pr2six[bufin[3]]);
+-    }
+ 
+-    nbytesdecoded -= (4 - (int)nprbytes) & 3;
+-    return nbytesdecoded;
++    return nbytesdecoded - (int)((4u - nprbytes) & 3u);
+ }
+ 
+ static const char basis_64[] =
+@@ -192,6 +195,8 @@ static const char basis_64[] =
+ 
+ APU_DECLARE(int) apr_base64_encode_len(int len)
+ {
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     return ((len + 2) / 3 * 4) + 1;
+ }
+ 
+@@ -203,6 +208,8 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     int i;
+     char *p;
+ 
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(os_toascii[string[i]] >> 2) & 0x3F];
+@@ -227,7 +234,7 @@ APU_DECLARE(int) apr_base64_encode(char *encoded, const char *string, int len)
+     }
+ 
+     *p++ = '\0';
+-    return p - encoded;
++    return (unsigned int)(p - encoded);
+ #endif				/* APR_CHARSET_EBCDIC */
+ }
+ 
+@@ -240,6 +247,8 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     int i;
+     char *p;
+ 
++    assert(len >= 0 && len <= APR_BASE64_ENCODE_MAX);
++
+     p = encoded;
+     for (i = 0; i < len - 2; i += 3) {
+ 	*p++ = basis_64[(string[i] >> 2) & 0x3F];
+@@ -264,5 +273,5 @@ APU_DECLARE(int) apr_base64_encode_binary(char *encoded,
+     }
+ 
+     *p++ = '\0';
+-    return (int)(p - encoded);
++    return (unsigned int)(p - encoded);
+ }
+-- 
+2.30.2
+
diff --git a/debian/patches/series b/debian/patches/series
index f1d8f4c..5ca59f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ fix_doxygen_inputdir
 support_mariadb.patch
 doxygen_no_ful_path_names.patch
 fix_gdbm_error_handling
+apr_base64-Make-sure-encoding-decoding-lengths-fit-i.patch