Return-Path: 
 <dev-return-65258-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 81680 invoked from network); 5 Aug 2009 19:24:11 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 5 Aug 2009 19:24:11 -0000
Received: (qmail 34700 invoked by uid 500); 5 Aug 2009 19:24:17 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 34615 invoked by uid 500); 5 Aug 2009 19:24:17 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 34606 invoked by uid 99); 5 Aug 2009 19:24:17 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Aug 2009 19:24:17 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (nike.apache.org: local policy)
Received: from [64.202.165.47] (HELO smtpauth23.prod.mesa1.secureserver.net)
 (64.202.165.47)
    by apache.org (qpsmtpd/0.29) with SMTP; Wed, 05 Aug 2009 19:24:06 +0000
Received: (qmail 7039 invoked from network); 5 Aug 2009 19:23:44 -0000
Received: from unknown (76.252.112.72)
  by smtpauth23.prod.mesa1.secureserver.net (64.202.165.47) with ESMTP;
 05 Aug 2009 19:23:44 -0000
Message-ID: <4A79DC40.5000209@rowe-clan.net>
Date: Wed, 05 Aug 2009 14:23:44 -0500
From: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: [Fwd: APR Developer Advisory CVE-2009-2412]
References: <4A79D834.9080403@rowe-clan.net>
In-Reply-To: <4A79D834.9080403@rowe-clan.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

> 
> Abuse of this flaw required the developer to request an allocation of
> an untrusted size, which the APR developers determined to indicate a
> flaw in the developer's code.  Due to APR's behavior, however, an
> application which exposed itself to such flaw was further vulnerable
> due to a non-null return value from pool or rmm allocation calls.
> Under normal scenarios, NULL should be returned, which is either
> detected or leads to an immediate segfault/halt.  Due to APR's handling
> of these allocation calls, data pollution and other side effects cannot
> be ruled out, so APR had assigned CVE-2009-2412 <http://cve.mitre.org/>
> to this issue.  The APR project recommends all distributors update to
> include this patch or the forthcoming APR release, to guard against the
> greater impact of future exploits of library consumers' vulnerable code.

In short, this is unlikely to affect httpd.

But it's entirely possible that it affects third party modules built for
httpd plus apr.  I'm willing to tag and roll this evening a 2.2.13 if people
will stand behind voting for it over the next two days.

Unfortunately, I'm unable to release it after 9am Sunday morning, so if we
want to push ahead with a 48 hour voting clock, please raise your hand to
test between thurs and fri.

I raised the idea in security@ discussion of re-releasing 2.2.12 with the
updated APR; nothing in the httpd svn tree suggested this specific version.
But since that idea received mixed reviews, it doesn't seem like the right
solution.

Bill