366903 – (CVE-2011-0419) <dev-libs/apr-1.4.4: Denial of Service in apr_fnmatch() (CVE-2011-0419)

Bug 366903 (CVE-2011-0419) - <dev-libs/apr-1.4.4: Denial of Service in apr_fnmatch() (CVE-2011-0419)

Summary: <dev-libs/apr-1.4.4: Denial of Service in apr_fnmatch() (CVE-2011-0419)

Status:	RESOLVED FIXED

Alias:	CVE-2011-0419

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-05-11 17:17 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified:	2014-05-18 17:54 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-05-11 17:17:15 UTC

apr_fnmatch() function of <dev-libs/apr-1.4.4 is vulnerable to Denial of Service.
This vulnerability affects e.g. mod_autoindex from www-servers/apache.

Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev

2011-05-11 17:19:03 UTC

Stabilize:
  dev-libs/apr-1.4.4
  dev-libs/apr-util-1.3.11

Comment 2 Agostino Sarubbo gentoo-dev

2011-05-11 17:58:04 UTC

amd64 ok

Comment 3 Markos Chandras (RETIRED) gentoo-dev

2011-05-11 18:20:34 UTC

amd64 done. Thanks Agostino

Comment 4 Thomas Kahle (RETIRED) gentoo-dev

2011-05-12 07:53:14 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) gentoo-dev

2011-05-12 18:56:20 UTC

Like this:

Arch teams, please test and mark stable:
=dev-libs/apr-1.4.4
=dev-libs/apr-util-1.3.11
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Thank you.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2011-05-13 14:12:58 UTC

Stable for HPPA.

Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-05-14 16:28:38 UTC

ppc/ppc64 stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2011-05-14 19:36:00 UTC

alpha/arm/ia64/s390/sh/sparc stable

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2011-05-14 20:03:46 UTC

Thanks, folks. GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2011-06-24 00:32:41 UTC

CVE-2011-0419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419):
  Stack consumption vulnerability in the fnmatch implementation in
  apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and
  the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD
  5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and
  Android, allows context-dependent attackers to cause a denial of service
  (CPU and memory consumption) via *? sequences in the first argument, as
  demonstrated by attacks against mod_autoindex in httpd.

Comment 11 Aleksander Zatserkovnyy 2011-06-29 01:07:04 UTC

The problem is solved in the released apr-1.4.5 . Please, put it in portage .

Comment 12 Leho Kraav (:macmaN @lkraav) 2011-09-07 19:36:10 UTC

i have finally gdb-identified this as being source of my apache worker endless loop cpu hogging behavior. any reason why these packages aren't marked stable yet?

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2014-05-18 17:54:13 UTC

This issue was resolved and addressed in
 GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml
by GLSA coordinator Sean Amoss (ackle).