oss-sec mailing list archives

Re: CVE Request (apr-util)

From: "Steven M. Christey" <coley () linus mitre org>
Date: Sat, 6 Jun 2009 13:21:02 -0400 (EDT)


======================================================
Name: CVE-2009-1956
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1956
Reference: MLIST:[dev] 20090424 Buffer overflow in apr_brigade_vprintf() ?
Reference: URL:http://www.mail-archive.com/dev () apr apache org/msg21591.html
Reference: MLIST:[dev] 20090424 Re: Buffer overflow in apr_brigade_vprintf() ?
Reference: URL:http://www.mail-archive.com/dev () apr apache org/msg21592.html
Reference: MLIST:[oss-security] 20090605 CVE Request (apr-util)
Reference: URL:http://www.openwall.com/lists/oss-security/2009/06/06/1
Reference: CONFIRM:http://svn.apache.org/viewvc?view=rev&revision=768417
Reference: CONFIRM:http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=504390

Off-by-one error in the apr_brigade_vprintf function in Apache
APR-util before 1.3.5 on big-endian platforms allows remote attackers
to obtain sensitive information or cause a denial of service
(application crash) via crafted input.

Current thread:

CVE Request (apr-util) Josh Bressers (Jun 05)
- Re: CVE Request (apr-util) Steven M. Christey (Jun 06)