You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@apr.apache.org by William A Rowe Jr <wr...@rowe-clan.net> on 2017/10/23 18:27:59 UTC

[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released

[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and
APR-iconv 1.2.2 Released

The Apache Software Foundation and the Apache Portable Runtime
Project are proud to announce the General Availability of version
1.6.3 of the Apache Portable Runtime library (APR), as well as
version 1.6.1 of the APR Utility library (APR-util) and version
1.2.2 of the APR iconv library (APR-iconv).

APR 1.6.1 release addresses one security vulnerability;

  CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.

  APR-util 1.6.0 and prior failed to validate the integrity of SDBM
  database files used by apr_sdbm*() functions, resulting in a
  possible out of bound read access. A local user with write access
  to the database can make a program or process using these functions
  crash, and cause a denial of service.

APR-util 1.6.3 release addresses one security vulnerability;

  CVE-2017-12613; Out-of-bounds array deref in apr_time_exp*() functions

  When apr_exp_time*() or apr_os_exp_time*() functions are invoked
  with an invalid month field value in APR 1.6.2 and prior, out of
  bounds memory may be accessed in converting this value to an
  apr_time_exp_t value, potentially revealing the contents of a
  different static heap value or resulting in program termination,
  and may represent an information disclosure or denial of service
  vulnerability to applications which call these APR functions with
  unvalidated external input.

There are a number of specific changes in how APR is deployed
and how APR-util deals with external dependencies in their 1.6
releases, which may be disruptive to existing build strategies:

 - Expat sources are no longer bundled, this is now an external
   dependency. Install libexpat runtime (usually installed by
   default) and development packages using your system's package
   manager, or from <https://libexpat.github.io/>.

 - MySQL support is updated as advised by the MySQL developers.
   MySQL versions older than 5.5 should not be used. If you do
   use an old MySQL version, use the thread-safe libmysqlclient_r
   version of the library.

 - FreeTDS partial and incomplete support has been dropped.
   Users of MSSQL and SYBASE databases are recommended to use
   the ODBC driver instead.

APR 1.6.3, APR-util 1.6.1, and APR-iconv 1.2.2 releases also fix
a number of run-time and build-time issues; For details, see;

  http://www.apache.org/dist/apr/CHANGES-APR-1.6
  http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.6
  http://www.apache.org/dist/apr/CHANGES-APR-ICONV-1.2

APR, APR-util and APR-iconv are available for download from:

  http://apr.apache.org/download.cgi

The mission of the Apache Portable Runtime Project is to create
and maintain software libraries that provide a predictable and
consistent interface to underlying platform-specific
implementations. The primary goal is to provide an API to
which software developers may code and be assured of predictable
if not identical behavior regardless of the platform on which
their software is built. We list all known projects using APR
at http://apr.apache.org/projects.html - so please let us know
if you find our libraries useful in your own projects!

Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released

Posted by Stefan Sperling <st...@stsp.name>.

On Wed, Nov 01, 2017 at 01:07:34PM +0100, Rainer Jung wrote:
> Am 01.11.2017 um 12:22 schrieb Stefan Sperling:
> > On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
> > >    CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> > > 
> > >    APR-util 1.6.0 and prior failed to validate the integrity of SDBM
> > >    database files used by apr_sdbm*() functions, resulting in a
> > >    possible out of bound read access. A local user with write access
> > >    to the database can make a program or process using these functions
> > >    crash, and cause a denial of service.
> > 
> > I am looking for the patch which fixed the above issue.
> > 
> > Where can I find it?
> > 
> > Was it r1809394? All of it? Some of it?
> > 
> > Rationale: APR-util 1.6.3 added a shared library symbol:
> > 
> > No dynamic export changes
> > PLT added:
> >          apr_xml_parser_done
> > 
> > I want to figure out a way to patch this security issue in
> > OpenBSD 6.2-stable, without changing unrelated library symbols.
> 
> Yes, it should be r1809394 or even better the 1.6.x backport r1809395.
> 
> Regards,
> 
> Rainer

Thank you, Rainer. I have committed this fix to OpenBSD.

Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released

Posted by Rainer Jung <ra...@kippdata.de>.

Am 01.11.2017 um 12:22 schrieb Stefan Sperling:
> On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
>>    CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
>>
>>    APR-util 1.6.0 and prior failed to validate the integrity of SDBM
>>    database files used by apr_sdbm*() functions, resulting in a
>>    possible out of bound read access. A local user with write access
>>    to the database can make a program or process using these functions
>>    crash, and cause a denial of service.
> 
> I am looking for the patch which fixed the above issue.
> 
> Where can I find it?
> 
> Was it r1809394? All of it? Some of it?
> 
> Rationale: APR-util 1.6.3 added a shared library symbol:
> 
> No dynamic export changes
> PLT added:
>          apr_xml_parser_done
> 
> I want to figure out a way to patch this security issue in
> OpenBSD 6.2-stable, without changing unrelated library symbols.

Yes, it should be r1809394 or even better the 1.6.x backport r1809395.

Regards,

Rainer

Re: [Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 Released

Posted by Stefan Sperling <st...@apache.org>.

On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
>   CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
> 
>   APR-util 1.6.0 and prior failed to validate the integrity of SDBM
>   database files used by apr_sdbm*() functions, resulting in a
>   possible out of bound read access. A local user with write access
>   to the database can make a program or process using these functions
>   crash, and cause a denial of service.

I am looking for the patch which fixed the above issue.

Where can I find it?

Was it r1809394? All of it? Some of it?

Rationale: APR-util 1.6.3 added a shared library symbol:

No dynamic export changes
PLT added:
        apr_xml_parser_done

I want to figure out a way to patch this security issue in
OpenBSD 6.2-stable, without changing unrelated library symbols.

Thanks,
Stefan