apr_fnmatch() function of <dev-libs/apr-1.4.4 is vulnerable to Denial of Service.
This vulnerability affects e.g. mod_autoindex from www-servers/apache.
amd64 done. Thanks Agostino
Arch teams, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Thanks, folks. GLSA request filed.
Stack consumption vulnerability in the fnmatch implementation in
apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and
the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD
5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and
Android, allows context-dependent attackers to cause a denial of service
(CPU and memory consumption) via *? sequences in the first argument, as
demonstrated by attacks against mod_autoindex in httpd.
The problem is solved in the released apr-1.4.5 . Please, put it in portage .
i have finally gdb-identified this as being source of my apache worker endless loop cpu hogging behavior. any reason why these packages aren't marked stable yet?
This issue was resolved and addressed in
GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml
by GLSA coordinator Sean Amoss (ackle).