From Secunia: Some vulnerabilities have been reported in APR-util, which can potentially be exploited to cause a DoS (Denial of Service) or compromise an application using the library. The vulnerabilities are caused due to integer overflow errors in the "apr_rmm_malloc()", "apr_rmm_calloc()", and "apr_rmm_realloc()" functions in misc/apr_rmm.c when aligning relocatable memory blocks, which can potentially be exploited to cause buffer overflows.
Patches at $URL, new releases are expected soon as well. CC'ing infra.
dev-libs/apr-1.3.8 and dev-libs/apr-util-1.3.9 are now in the tree.
Please stabilize dev-libs/apr-1.3.8 and dev-libs/apr-util-1.3.9.
Arches, please test and mark stable: =dev-libs/apr-1.3.8 =dev-libs/apr-util-1.3.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Please note this is a high priority stabilization.
amd64 stable. Also tested successfully in my x86 chroot, but not marked stable in case anyone from x86 wants to test themselves.
GLSA draft filed.
x86 stable
Uuuh has somebody tested this with the stable Apache? Double-checked and rebuilt on my server but it fails to start (unable to bind the socket on port 80) with the new apr, works fine with 1.3.5…
Okay so this breaks badly on older kernels, like 2.6.26 which is widely used for vservers. Can we have more speed and less haste?
removing arches, readding x86, you may want to drop stable again. The patches in $URL should apply to 1.3.5 as well, so backporting seems a more feasible approach to get it fixed timely.
amd64 as well (found the issue on that to begin with)
x86 reverted to testing.
Can somebody please backport?
FYI: Patches apply cleanly to apr-1.3.5 and apr-util-1.3.7. Unfortunately I can't commit.
I added "cloexec" USE flag for dev-libs/apr-1.3.8. Users, who want to build APR on systems with newer kernels and use it on systems with older kernels, should disable "cloexec" USE flag.
Arches, please test and mark stable: =dev-libs/apr-1.3.8 =dev-libs/apr-util-1.3.9 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Both stable on alpha.
Stable for HPPA.
arm/ia64/s390/sh/sparc stable
pcc, pcc64: ping!
ppc stable
ppc64 done
GLSA already filed, pending 2 approvals.
GLSA 200909-03, sorry for the delay.