On 5/11/2011 1:39 AM, William A. Rowe Jr. wrote: > Users; > > Please note the following clarification to the APR 1.4.4 release. > > Whether this represents a security flaw to *your* application depends > on untrusted fnmatch patterns being applied to very long name strings, > the default stack size, and the impact of a stack overflow to the app.
I initially wrote "stack overflow"; this was incorrect. The nature of the vulnerability is (exponential) excessive CPU utilization. You are most unlikely to observe a stack overflow. > Modified: release/apr/Announcement1.x.txt > ============================================================================== > --- release/apr/Announcement1.x.txt (original) > +++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011 > @@ -8,6 +8,18 @@ > These are bug fix releases. Users of previous versions are > encouraged to update to these releases. > > + Note especially a security fix to APR 1.4.4, stack overflow > + was possible due to unconstrained, recursive invocation of > + apr_fnmatch, as apr_fnmatch processed '*' wildcards. > + > + * Security: CVE-2011-0419 (http://cve.mitre.org) > + Reimplement apr_fnmatch() from scratch using a non-recursive > + algorithm; now has improved compliance with the fnmatch() spec. > + [William Rowe] > + > + The APR Project thanks Maksymilian Arciemowicz of SecurityReason > + for his research and reporting of this issue. > + > >