You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/05/11 08:39:48 UTC
Re: Apache Portable Runtime 1.4.4 [...] Released
Users;
Please note the following clarification to the APR 1.4.4 release.
Whether this represents a security flaw to *your* application depends
on untrusted fnmatch patterns being applied to very long name strings,
the default stack size, and the impact of a stack overflow to the app.
Modified: release/apr/Announcement1.x.txt
==============================================================================
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
@@ -8,6 +8,18 @@
These are bug fix releases. Users of previous versions are
encouraged to update to these releases.
+ Note especially a security fix to APR 1.4.4, stack overflow
+ was possible due to unconstrained, recursive invocation of
+ apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+
+ * Security: CVE-2011-0419 (http://cve.mitre.org)
+ Reimplement apr_fnmatch() from scratch using a non-recursive
+ algorithm; now has improved compliance with the fnmatch() spec.
+ [William Rowe]
+
+ The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+ for his research and reporting of this issue.
+
Re: Apache Portable Runtime 1.4.4 [...] Released
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 5/11/2011 1:39 AM, William A. Rowe Jr. wrote:
> Users;
>
> Please note the following clarification to the APR 1.4.4 release.
>
> Whether this represents a security flaw to *your* application depends
> on untrusted fnmatch patterns being applied to very long name strings,
> the default stack size, and the impact of a stack overflow to the app.
I initially wrote "stack overflow"; this was incorrect. The nature of
the vulnerability is (exponential) excessive CPU utilization. You are
most unlikely to observe a stack overflow.
> Modified: release/apr/Announcement1.x.txt
> ==============================================================================
> --- release/apr/Announcement1.x.txt (original)
> +++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
> @@ -8,6 +8,18 @@
> These are bug fix releases. Users of previous versions are
> encouraged to update to these releases.
>
> + Note especially a security fix to APR 1.4.4, stack overflow
> + was possible due to unconstrained, recursive invocation of
> + apr_fnmatch, as apr_fnmatch processed '*' wildcards.
> +
> + * Security: CVE-2011-0419 (http://cve.mitre.org)
> + Reimplement apr_fnmatch() from scratch using a non-recursive
> + algorithm; now has improved compliance with the fnmatch() spec.
> + [William Rowe]
> +
> + The APR Project thanks Maksymilian Arciemowicz of SecurityReason
> + for his research and reporting of this issue.
> +
>
>