Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 368651 (CVE-2011-1928) - <dev-libs/apr-1.4.5: Denial of Service in apr_fnmatch.c (regression from (CVE-2011-{0419,1928})
Summary: <dev-libs/apr-1.4.5: Denial of Service in apr_fnmatch.c (regression from (CVE...
Status: RESOLVED FIXED
Alias: CVE-2011-1928
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://web.nvd.nist.gov/view/vuln/det...
Whiteboard: B3 [glsa]
Keywords:
Depends on: CVE-2011-3368
Blocks:
  Show dependency tree
 
Reported: 2011-05-25 06:20 UTC by Benedikt Böhm (RETIRED)
Modified: 2014-05-18 17:54 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Benedikt Böhm (RETIRED) gentoo-dev 2011-05-25 06:20:42 UTC
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used. NOTE: this issue exists because of an incorrect fix for CVE-2011-0419.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-05-25 15:17:19 UTC
From the changelog at http://www.apache.org/dist/apr/CHANGES-APR-1.4:

Changes for APR 1.4.5

  *) Security: CVE-2011-1928
     apr_fnmatch(): Fix high CPU loop.  [William Rowe]
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-07-10 00:06:18 UTC
CVE-2011-1928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1928):
  The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime
  (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows
  remote attackers to cause a denial of service (infinite loop) via a URI that
  does not match unspecified types of wildcard patterns, as demonstrated by
  attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration
  pattern is used.  NOTE: this issue exists because of an incorrect fix for
  CVE-2011-0419.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-10-18 06:45:28 UTC
ebuild was already in tree for some time. Stabilization is requested in bug 385859.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 20:07:40 UTC
Added to existing draft.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:54:15 UTC
This issue was resolved and addressed in
 GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml
by GLSA coordinator Sean Amoss (ackle).