Bug#627182: libapr1: last security update introduces a infinite loop condition
Date: 2011 05 20
Hi,
I can confirm the same problem on our prod server after upgrade to
libapr1-1.2.12-5+lenny3:
the problem is triggered by some configuration directive in apache.conf;
package details:
ii apache2
2.2.9-10+lenny9 Apache HTTP Server metapackage
ii apache2-mpm-prefork 2.2.9-10+lenny9
Apache HTTP Server - traditional non-threade
ii apache2-utils
2.2.9-10+lenny9 utility programs for webservers
ii apache2.2-common 2.2.9-10+lenny9
Apache HTTP Server common files
ii libapache2-mod-auth-pgsql 2.0.3-5
Module for Apache2 which provides pgsql auth
ii libapr1
1.2.12-5+lenny3 The Apache Portable Runtime Library
ii libaprutil1
1.2.12+dfsg-8+lenny5 The Apache Portable Runtime Utility Library
O.S.: Linux i686 GNU/Linux
I have also some GDB debug if someone is interested: it shows an
application loop in the apr_fnmatch() function
(I can provide the full debug session on someone will ask for it):
Breakpoint 1, apr_fnmatch (pattern=0x9b0e7c0
"/somestring/*/*/*/*/other_string/", string=0x9b5a5a0 "/somestring",
flags=2)
Thanks
Roby
Reply to: