On 08/05/2009 09:23 PM, William A. Rowe, Jr. wrote: >> Abuse of this flaw required the developer to request an allocation of >> an untrusted size, which the APR developers determined to indicate a >> flaw in the developer's code. Due to APR's behavior, however, an >> application which exposed itself to such flaw was further vulnerable >> due to a non-null return value from pool or rmm allocation calls. >> Under normal scenarios, NULL should be returned, which is either >> detected or leads to an immediate segfault/halt. Due to APR's handling >> of these allocation calls, data pollution and other side effects cannot >> be ruled out, so APR had assigned CVE-2009-2412 <http://cve.mitre.org/> >> to this issue. The APR project recommends all distributors update to >> include this patch or the forthcoming APR release, to guard against the >> greater impact of future exploits of library consumers' vulnerable code. > > In short, this is unlikely to affect httpd. > > But it's entirely possible that it affects third party modules built for > httpd plus apr. I'm willing to tag and roll this evening a 2.2.13 if people > will stand behind voting for it over the next two days.
Go ahead. I am willing to give it a test. Regards RĂ¼diger
