httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [Fwd: APR Developer Advisory CVE-2009-2412]
Date Wed, 05 Aug 2009 19:38:57 GMT


On 08/05/2009 09:23 PM, William A. Rowe, Jr. wrote:
>> Abuse of this flaw required the developer to request an allocation of
>> an untrusted size, which the APR developers determined to indicate a
>> flaw in the developer's code.  Due to APR's behavior, however, an
>> application which exposed itself to such flaw was further vulnerable
>> due to a non-null return value from pool or rmm allocation calls.
>> Under normal scenarios, NULL should be returned, which is either
>> detected or leads to an immediate segfault/halt.  Due to APR's handling
>> of these allocation calls, data pollution and other side effects cannot
>> be ruled out, so APR had assigned CVE-2009-2412 <http://cve.mitre.org/>
>> to this issue.  The APR project recommends all distributors update to
>> include this patch or the forthcoming APR release, to guard against the
>> greater impact of future exploits of library consumers' vulnerable code.
> 
> In short, this is unlikely to affect httpd.
> 
> But it's entirely possible that it affects third party modules built for
> httpd plus apr.  I'm willing to tag and roll this evening a 2.2.13 if people
> will stand behind voting for it over the next two days.

Go ahead. I am willing to give it a test.

Regards

RĂ¼diger

Mime
View raw message