apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject APR Developer Advisory CVE-2009-2412
Date Tue, 04 Aug 2009 20:23:04 GMT
The APR project thanks Matt Lewis for bringing this overflow flaw to
the project's attention.  The project has released patches for the
CVE-2009-2412 at <http://www.apache.org/dist/apr/patches/> based on
his guidance.  The APR project expects to ship APR release 1.3.8 and
APR-util release 1.3.9 over the course of the week.



Abuse of this flaw required the developer to request an allocation of
an untrusted size, which the APR developers determined to indicate a
flaw in the developer's code.  Due to APR's behavior, however, an
application which exposed itself to such flaw was further vulnerable
due to a non-null return value from pool or rmm allocation calls.
Under normal scenarios, NULL should be returned, which is either
detected or leads to an immediate segfault/halt.  Due to APR's handling
of these allocation calls, data pollution and other side effects cannot
be ruled out, so APR had assigned CVE-2009-2412 <http://cve.mitre.org/>
to this issue.  The APR project recommends all distributors update to
include this patch or the forthcoming APR release, to guard against the
greater impact of future exploits of library consumers' vulnerable code.

View raw message