| Name | CVE-2021-35940 |
| Description | An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 992789 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| apr (PTS) | jessie, jessie (lts) | 1.5.1-3+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 1.5.2-5+deb9u1 | fixed |
| buster | 1.6.5-1 | fixed |
| bullseye (security), bullseye | 1.7.0-6+deb11u2 | fixed |
| bookworm | 1.7.2-3+deb12u1 | fixed |
| sid, trixie | 1.7.5-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| apr | source | jessie | (not affected) | | | |
| apr | source | stretch | (not affected) | | | |
| apr | source | buster | (not affected) | | | |
| apr | source | bullseye | 1.7.0-6+deb11u1 | | | |
| apr | source | (unstable) | 1.7.0-7 | | | 992789 |
Notes
[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
The issue exists because the CVE-2017-12613 fix was not carried forward
in the APR 1.7.x branch and hence version 1.7.0 regressed from 1.6.3
and so vulnerable to the same issue.
https://www.openwall.com/lists/oss-security/2021/08/23/1
http://svn.apache.org/viewvc?view=revision&revision=1891198
https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
[jessie] - apr <not-affected> (Vulnerable code introduced later in version 1.7.0)