Hi, On Sat, Sep 03, 2022 at 03:31:15PM +0200, Steinar H. Gunderson wrote: > On Fri, Aug 26, 2022 at 09:07:06PM +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for libapreq2. > > > > CVE-2022-22728[0]: > > | A flaw in Apache libapreq2 versions 2.16 and earlier could cause a > > | buffer overflow while processing multipart form uploads. A remote > > | attacker could send a request causing a process crash which could lead > > | to a denial of service attack. > > Based on the description, I assume it is this one: > > http://svn.apache.org/viewvc?view=revision&revision=1866760 > > I'm not sure if it counts as “buffer overflow”, but given that it only > mentions DoS and not arbitrary code execution, NULL pointer dereference > looks a lot like it. 2.13 appears vulnerable to me, given the description. > > I don't use libapreq2 anymore, so anyone wanting to pick up the package > would be more than welcome. Upstream homepage is now seemingly at: > > https://httpd.apache.org/apreq/
Thanks for having investigated this further. This is puzzling and upstream has not yet answered on queries about isolating the fix. The above would be already a couple of years old. And https://bugs.gentoo.org/show_bug.cgi?id=CVE-2022-22728#c1 seems to indicate there must be something in recent days about it. A diff between libapreq2-2.16 and libapreq2-2.17 has in fact: diff -urN libapreq2-2.16/CHANGES libapreq2-2.17/CHANGES --- libapreq2-2.16/CHANGES 2021-03-10 14:46:30.000000000 +0100 +++ libapreq2-2.17/CHANGES 2022-08-18 11:19:04.000000000 +0200 @@ -1,6 +1,11 @@ /** @page apreq_changes CHANGES //! brief List of major changes. +@section v2_17 Changes with libapreq2-2.17 (released 25 August, 2022) + +- Multipart header parser [Yann Ylavic] + Rework apreq_parse_headers() to discard CRLF of folded values. + @section v2_16 Changes with libapreq2-2.16 (released 17 March, 2021) But maybe as you suggest we have to go back . Though it should be something which still affects 2.16 upstream. and likely so not the newley released 2.17. Regards, Salvatore