Bug#627182: libapr1: last security update introduces a infinite loop condition

To: 627182@bugs.debian.org
Subject: Bug#627182: libapr1: last security update introduces a infinite loop condition
From: Roberto <giaffy@gmail.com>
Date: Fri, 20 May 2011 09:36:22 +0200
Message-id: <BANLkTingp9Ew-zVmuimHYQoTDcg8i-ts4A@mail.gmail.com>
Reply-to: Roberto <giaffy@gmail.com>, 627182@bugs.debian.org

Date: 2011 05 20

Hi,
I can confirm the same problem on our prod server after upgrade to
libapr1-1.2.12-5+lenny3:
the problem is triggered by some configuration directive in apache.conf;

package details:
ii  apache2
2.2.9-10+lenny9            Apache HTTP Server metapackage
ii  apache2-mpm-prefork                             2.2.9-10+lenny9
        Apache HTTP Server - traditional non-threade
ii  apache2-utils
2.2.9-10+lenny9            utility programs for webservers
ii  apache2.2-common                                2.2.9-10+lenny9
        Apache HTTP Server common files
ii  libapache2-mod-auth-pgsql                      2.0.3-5
            Module for Apache2 which provides pgsql auth
ii  libapr1
1.2.12-5+lenny3            The Apache Portable Runtime Library
ii  libaprutil1
1.2.12+dfsg-8+lenny5    The Apache Portable Runtime Utility Library

O.S.: Linux i686 GNU/Linux

I have also some GDB debug if someone is interested: it shows an
application loop in the apr_fnmatch() function
(I can provide the full debug session on someone will ask for it):

    Breakpoint 1, apr_fnmatch (pattern=0x9b0e7c0
"/somestring/*/*/*/*/other_string/", string=0x9b5a5a0 "/somestring",
flags=2)


Thanks
Roby

Reply to:

Prev by Date: Bug#485413: seems to be the same with apache 2.2.17-3
Next by Date: Processed: notfound 627182 in 1.4.2-8, found 627182 in 1.4.4-1, found 627182 in 1.2.12-5+lenny3 ...
Previous by thread: Bug#627182: marked as done (libapr1: last security update introduces a infinite loop condition)
Next by thread: Bug#627182: Forwarded upstream
Index(es):
- Date
- Thread