APR Utility Library: Multiple vulnerabilities — GLSA 200907-03

Multiple vulnerabilities in the Apache Portable Runtime Utility Library might enable remote attackers to cause a Denial of Service or disclose sensitive information.

Affected packages

Background

The Apache Portable Runtime Utility Library (aka apr-util) provides an interface to functionality such as XML parsing, string matching and databases connections.

Description

Multiple vulnerabilities have been discovered in the APR Utility Library:

• Matthew Palmer reported a heap-based buffer underflow while compiling search patterns in the apr_strmatch_precompile() function in strmatch/apr_strmatch.c (CVE-2009-0023).
• kcope reported that the expat XML parser in xml/apr_xml.c does not limit the amount of XML entities expanded recursively (CVE-2009-1955).
• C. Michael Pilato reported an off-by-one error in the apr_brigade_vprintf() function in buckets/apr_brigade.c (CVE-2009-1956).

Impact

A remote attacker could exploit these vulnerabilities to cause a Denial of Service (crash or memory exhaustion) via an Apache HTTP server running mod_dav or mod_dav_svn, or using several configuration files. Additionally, a remote attacker could disclose sensitive information or cause a Denial of Service by sending a specially crafted input. NOTE: Only big-endian architectures such as PPC and HPPA are affected by the latter flaw.

Workaround

There is no known workaround at this time.

Resolution

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7"

References

• CVE-2009-0023
• CVE-2009-1955
• CVE-2009-1956

Release date
July 04, 2009

Latest revision
July 04, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries

• 268643
• 272260
• 274193