Please note the following clarification to the APR 1.4.4 release.

Whether this represents a security flaw to *your* application depends
on untrusted fnmatch patterns being applied to very long name strings,
the default stack size, and the impact of a stack overflow to the app.

Modified: release/apr/Announcement1.x.txt
--- release/apr/Announcement1.x.txt (original)
+++ release/apr/Announcement1.x.txt Tue May 10 19:38:45 2011
@@ -8,6 +8,18 @@
    These are bug fix releases.  Users of previous versions are
    encouraged to update to these releases.

+   Note especially a security fix to APR 1.4.4, stack overflow
+   was possible due to unconstrained, recursive invocation of
+   apr_fnmatch, as apr_fnmatch processed '*' wildcards.
+   * Security: CVE-2011-0419 (
+     Reimplement apr_fnmatch() from scratch using a non-recursive
+     algorithm; now has improved compliance with the fnmatch() spec.
+     [William Rowe]
+   The APR Project thanks Maksymilian Arciemowicz of SecurityReason
+   for his research and reporting of this issue.

Reply via email to