CVE-2021-35940

NameCVE-2021-35940
DescriptionAn out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs992789

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apr (PTS)buster1.6.5-1fixed
bullseye (security), bullseye1.7.0-6+deb11u2fixed
trixie, bookworm1.7.2-3fixed
sid1.7.2-3.2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aprsourcestretch(not affected)
aprsourcebuster(not affected)
aprsourcebullseye1.7.0-6+deb11u1
aprsource(unstable)1.7.0-7992789

Notes

[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
The issue exists because the CVE-2017-12613 fix was not carried forward
in the APR 1.7.x branch and hence version 1.7.0 regressed from 1.6.3
and so vulnerable to the same issue.
https://www.openwall.com/lists/oss-security/2021/08/23/1
http://svn.apache.org/viewvc?view=revision&revision=1891198
https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch

Search for package or bug name: Reporting problems