938542 – (CVE-2023-49582) <dev-libs/apr-1.7.5: Unexpected lax shared memory permissions

Bug 938542 (CVE-2023-49582) - <dev-libs/apr-1.7.5: Unexpected lax shared memory permissions

Summary: <dev-libs/apr-1.7.5: Unexpected lax shared memory permissions

Status:	CONFIRMED

Alias:	CVE-2023-49582

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [stable?]
Keywords:

Depends on:
Blocks:

Reported:	2024-08-27 05:38 UTC by Hans de Graaff
Modified:	2024-08-27 05:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hans de Graaff gentoo-dev

2024-08-27 05:38:31 UTC

SECURITY: CVE-2023-49582: Apache Portable Runtime (APR):
     Unexpected lax shared memory permissions (cve.mitre.org)
     Lax permissions set by the Apache Portable Runtime library on
     Unix platforms would allow local users read access to named
     shared memory segments, potentially revealing sensitive
     application data.
     This issue does not affect non-Unix platforms, or builds with
     APR_USE_SHMEM_SHMGET=1 (apr.h)
     Users are recommended to upgrade to APR version 1.7.5, which
     fixes this issue.
     Credits: Thomas Stangner