apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: Apache Portable Runtime 1.4.4 [...] Released
Date Thu, 12 May 2011 05:12:56 GMT
On 5/11/2011 1:39 AM, William A. Rowe Jr. wrote:
> Users;
> 
> Please note the following clarification to the APR 1.4.4 release.
> 
> Whether this represents a security flaw to *your* application depends
> on untrusted fnmatch patterns being applied to very long name strings,
> the default stack size, and the impact of a stack overflow to the app.

I initially wrote "stack overflow"; this was incorrect.  The nature of
the vulnerability is (exponential) excessive CPU utilization.  You are
most unlikely to observe a stack overflow.


> Modified: release/apr/Announcement1.x.txt
> ==============================================================================
> --- release/apr/Announcement1.x.txt (original)
> +++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
> @@ -8,6 +8,18 @@
>     These are bug fix releases.  Users of previous versions are
>     encouraged to update to these releases.
> 
> +   Note especially a security fix to APR 1.4.4, stack overflow
> +   was possible due to unconstrained, recursive invocation of
> +   apr_fnmatch, as apr_fnmatch processed '*' wildcards.
> +
> +   * Security: CVE-2011-0419 (http://cve.mitre.org)
> +     Reimplement apr_fnmatch() from scratch using a non-recursive
> +     algorithm; now has improved compliance with the fnmatch() spec.
> +     [William Rowe]
> +
> +   The APR Project thanks Maksymilian Arciemowicz of SecurityReason
> +   for his research and reporting of this issue.
> +
> 
> 


Mime
View raw message