apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Sperling <s...@apache.org>
Subject Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released
Date Wed, 01 Nov 2017 11:22:50 GMT
On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
>   CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> 
>   APR-util 1.6.0 and prior failed to validate the integrity of SDBM
>   database files used by apr_sdbm*() functions, resulting in a
>   possible out of bound read access. A local user with write access
>   to the database can make a program or process using these functions
>   crash, and cause a denial of service.

I am looking for the patch which fixed the above issue.

Where can I find it?

Was it r1809394? All of it? Some of it?

Rationale: APR-util 1.6.3 added a shared library symbol:

No dynamic export changes
PLT added:
        apr_xml_parser_done

I want to figure out a way to patch this security issue in
OpenBSD 6.2-stable, without changing unrelated library symbols.

Thanks,
Stefan

Mime
View raw message