oss-sec mailing list archives

Re: CVE-2022-24963: Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Tue, 31 Jan 2023 09:42:14 -0800

On 1/31/23 07:12, Eric Covener wrote:

Severity: moderate

Description:

Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an 
attacker to write beyond bounds of a buffer.
This issue affects Apache Portable Runtime (APR) version 1.7.0.

Credit:

Ronald Crane (Zippenhop LLC) (finder)

References:

https://apr.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-24963


And what's the fix?  Is there a patch to apply or new version to upgrade to?

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

CVE-2022-24963: Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions Eric Covener (Jan 31)
- Re: CVE-2022-24963: Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions Alan Coopersmith (Jan 31)
  - Re: CVE-2022-24963: Apache Portable Runtime (APR): out-of-bound writes in the apr_encode family of functions Zube (Jan 31)