[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#627182: libapr1: last security update introduces a infinite loop condition



Package: libapr1
Version: 1.4.2-8
Severity: important
Tags: upstream

Hello,

We have found that the last security update (1.4.2-6+squeeze1, 1.2.12-5+lenny3)
causes apr_fnmatch to enter an infinite loop, on particular patters.

For instance, with the following configuration directive:
    <Location "/*/WEB-INF/">
        deny from all
    </Location> 
if someone visits any URL, an apache2 thread will start consuming 100% CPU.

This is introduced by the backport
debian/patches/028_fnmatch_CVE-2011-0419.dpatch, but it can be reproduced with the vanilla apr.

Regards,

-- 
 ,--.
: /` )   Tanguy Ortolo <xmpp:tanguy@ortolo.eu> <irc://irc.oftc.net/Elessar>
| `-'    Debian Maintainer
 \_

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapr1 depends on:
ii  libc6                         2.13-4     Embedded GNU C Library: Shared lib
ii  libuuid1                      2.17.2-9.1 Universally Unique ID library

libapr1 recommends no packages.

libapr1 suggests no packages.

-- no debconf information

Attachment: signature.asc
Description: Digital signature


Reply to: