[gentoo-announce] [ GLSA 200907-03 ] APR Utility Library: Multiple vulnerabilities - gentoo-announce

From:	Alex Legler <a3li@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200907-03 ] APR Utility Library: Multiple vulnerabilities
Date:	Sat, 04 Jul 2009 07:50:54
Message-Id:	`1246693693.4286.1.camel@localhost`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200907-03

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: APR Utility Library: Multiple vulnerabilities

9

      Date: July 04, 2009

10

      Bugs: #268643, #272260, #274193

11

        ID: 200907-03

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in the Apache Portable Runtime Utility Library

19

might enable remote attackers to cause a Denial of Service or disclose

20

sensitive information.

21

22

Background

23

==========

24

25

The Apache Portable Runtime Utility Library (aka apr-util) provides an

26

interface to functionality such as XML parsing, string matching and

27

databases connections.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package            /  Vulnerable  /                    Unaffected

34

    -------------------------------------------------------------------

35

  1  dev-libs/apr-util       < 1.3.7                          >= 1.3.7

36

37

Description

38

===========

39

40

Multiple vulnerabilities have been discovered in the APR Utility

41

Library:

42

43

* Matthew Palmer reported a heap-based buffer underflow while

44

  compiling search patterns in the apr_strmatch_precompile() function

45

  in strmatch/apr_strmatch.c (CVE-2009-0023).

46

47

* kcope reported that the expat XML parser in xml/apr_xml.c does not

48

  limit the amount of XML entities expanded recursively

49

  (CVE-2009-1955).

50

51

* C. Michael Pilato reported an off-by-one error in the

52

  apr_brigade_vprintf() function in buckets/apr_brigade.c

53

  (CVE-2009-1956).

54

55

Impact

56

======

57

58

A remote attacker could exploit these vulnerabilities to cause a Denial

59

of Service (crash or memory exhaustion) via an Apache HTTP server

60

running mod_dav or mod_dav_svn, or using several configuration files.

61

Additionally, a remote attacker could disclose sensitive information or

62

cause a Denial of Service by sending a specially crafted input. NOTE:

63

Only big-endian architectures such as PPC and HPPA are affected by the

64

latter flaw.

65

66

Workaround

67

==========

68

69

There is no known workaround at this time.

70

71

Resolution

72

==========

73

74

All Apache Portable Runtime Utility Library users should upgrade to the

75

latest version:

76

77

    # emerge --sync

78

    # emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7"

79

80

References

81

==========

82

83

  [ 1 ] CVE-2009-0023

84

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023

85

  [ 2 ] CVE-2009-1955

86

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955

87

  [ 3 ] CVE-2009-1956

88

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956

89

90

Availability

91

============

92

93

This GLSA and any updates to it are available for viewing at

94

the Gentoo Security Website:

95

96

  http://security.gentoo.org/glsa/glsa-200907-03.xml

97

98

Concerns?

99

=========

100

101

Security is a primary focus of Gentoo Linux and ensuring the

102

confidentiality and security of our users machines is of utmost

103

importance to us. Any security concerns should be addressed to

104

security@g.o or alternatively, you may file a bug at

105

http://bugs.gentoo.org.

106

107

License

108

=======

109

110

Copyright 2009 Gentoo Foundation, Inc; referenced text

111

belongs to its owner(s).

112

113

The contents of this document are licensed under the

114

Creative Commons - Attribution / Share Alike license.

115

116

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200907-03
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: APR Utility Library: Multiple vulnerabilities
9	Date: July 04, 2009
10	Bugs: #268643, #272260, #274193
11	ID: 200907-03
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in the Apache Portable Runtime Utility Library
19	might enable remote attackers to cause a Denial of Service or disclose
20	sensitive information.
21
22	Background
23	==========
24
25	The Apache Portable Runtime Utility Library (aka apr-util) provides an
26	interface to functionality such as XML parsing, string matching and
27	databases connections.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 dev-libs/apr-util < 1.3.7 >= 1.3.7
36
37	Description
38	===========
39
40	Multiple vulnerabilities have been discovered in the APR Utility
41	Library:
42
43	* Matthew Palmer reported a heap-based buffer underflow while
44	compiling search patterns in the apr_strmatch_precompile() function
45	in strmatch/apr_strmatch.c (CVE-2009-0023).
46
47	* kcope reported that the expat XML parser in xml/apr_xml.c does not
48	limit the amount of XML entities expanded recursively
49	(CVE-2009-1955).
50
51	* C. Michael Pilato reported an off-by-one error in the
52	apr_brigade_vprintf() function in buckets/apr_brigade.c
53	(CVE-2009-1956).
54
55	Impact
56	======
57
58	A remote attacker could exploit these vulnerabilities to cause a Denial
59	of Service (crash or memory exhaustion) via an Apache HTTP server
60	running mod_dav or mod_dav_svn, or using several configuration files.
61	Additionally, a remote attacker could disclose sensitive information or
62	cause a Denial of Service by sending a specially crafted input. NOTE:
63	Only big-endian architectures such as PPC and HPPA are affected by the
64	latter flaw.
65
66	Workaround
67	==========
68
69	There is no known workaround at this time.
70
71	Resolution
72	==========
73
74	All Apache Portable Runtime Utility Library users should upgrade to the
75	latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=dev-libs/apr-util-1.3.7"
79
80	References
81	==========
82
83	[ 1 ] CVE-2009-0023
84	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0023
85	[ 2 ] CVE-2009-1955
86	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955
87	[ 3 ] CVE-2009-1956
88	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
89
90	Availability
91	============
92
93	This GLSA and any updates to it are available for viewing at
94	the Gentoo Security Website:
95
96	http://security.gentoo.org/glsa/glsa-200907-03.xml
97
98	Concerns?
99	=========
100
101	Security is a primary focus of Gentoo Linux and ensuring the
102	confidentiality and security of our users machines is of utmost
103	importance to us. Any security concerns should be addressed to
104	security@g.o or alternatively, you may file a bug at
105	http://bugs.gentoo.org.
106
107	License
108	=======
109
110	Copyright 2009 Gentoo Foundation, Inc; referenced text
111	belongs to its owner(s).
112
113	The contents of this document are licensed under the
114	Creative Commons - Attribution / Share Alike license.
115
116	http://creativecommons.org/licenses/by-sa/2.5