Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366903 (CVE-2011-0419) - <dev-libs/apr-1.4.4: Denial of Service in apr_fnmatch() (CVE-2011-0419)
Summary: <dev-libs/apr-1.4.4: Denial of Service in apr_fnmatch() (CVE-2011-0419)
Status: RESOLVED FIXED
Alias: CVE-2011-0419
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-11 17:17 UTC by Arfrever Frehtes Taifersar Arahesis (RETIRED)
Modified: 2014-05-18 17:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-05-11 17:17:15 UTC
apr_fnmatch() function of <dev-libs/apr-1.4.4 is vulnerable to Denial of Service.
This vulnerability affects e.g. mod_autoindex from www-servers/apache.
Comment 1 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2011-05-11 17:19:03 UTC
Stabilize:
  dev-libs/apr-1.4.4
  dev-libs/apr-util-1.3.11
Comment 2 Agostino Sarubbo gentoo-dev 2011-05-11 17:58:04 UTC
amd64 ok
Comment 3 Markos Chandras (RETIRED) gentoo-dev 2011-05-11 18:20:34 UTC
amd64 done. Thanks Agostino
Comment 4 Thomas Kahle (RETIRED) gentoo-dev 2011-05-12 07:53:14 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-12 18:56:20 UTC
Like this:

Arch teams, please test and mark stable:
=dev-libs/apr-1.4.4
=dev-libs/apr-util-1.3.11
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Thank you.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-13 14:12:58 UTC
Stable for HPPA.
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 16:28:38 UTC
ppc/ppc64 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2011-05-14 19:36:00 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 20:03:46 UTC
Thanks, folks. GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:32:41 UTC
CVE-2011-0419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0419):
  Stack consumption vulnerability in the fnmatch implementation in
  apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and
  the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD
  5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and
  Android, allows context-dependent attackers to cause a denial of service
  (CPU and memory consumption) via *? sequences in the first argument, as
  demonstrated by attacks against mod_autoindex in httpd.
Comment 11 Alexander Zatserkovniy 2011-06-29 01:07:04 UTC
The problem is solved in the released apr-1.4.5 . Please, put it in portage .
Comment 12 Leho Kraav (:macmaN @lkraav) 2011-09-07 19:36:10 UTC
i have finally gdb-identified this as being source of my apache worker endless loop cpu hogging behavior. any reason why these packages aren't marked stable yet?
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-05-18 17:54:13 UTC
This issue was resolved and addressed in
 GLSA 201405-24 at http://security.gentoo.org/glsa/glsa-201405-24.xml
by GLSA coordinator Sean Amoss (ackle).