Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Hi, On Fri, Dec 30, 2022 at 05:25:41PM +0100, Tobias Frost wrote: > On Fri, Dec 30, 2022 at 04:14:25PM +0100, Salvatore Bonaccorso wrote: > > Hi Steinar, hi Tobias, > > > > On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > > > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H.

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Dec 30, 2022 at 04:14:25PM +0100, Salvatore Bonaccorso wrote: > Hi Steinar, hi Tobias, > > On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote: > > > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Hi Steinar, hi Tobias, On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote: > > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote: > > > I was trying to triage this CVE and *maybe* those revisions are

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Dec 30, 2022 at 12:28:49PM +0100, Steinar H. Gunderson wrote: > On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > > (I'm currently take a look at 2.17, to see if I can get it packages, if I'm > > succeeding, > > there will be an NMU announcement :)) > > If you are NMUing,

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote: > (I'm currently take a look at 2.17, to see if I can get it packages, if I'm > succeeding, > there will be an NMU announcement :)) If you are NMUing, could you orphan the package in the upload? /* Steinar */ -- Homepage:

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote: > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote: > > I was trying to triage this CVE and *maybe* those revisions are related: > > > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.") > > r1894940

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote: > I was trying to triage this CVE and *maybe* those revisions are related: > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.") > r1894940 ("reindent (no functional change).") > r1894977 ("Follow up to r1894937: Fix

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

I was trying to triage this CVE and *maybe* those revisions are related: r1894937 ("apreq_parse_headers: Discard CRLF of folded values.") r1894940 ("reindent (no functional change).") r1894977 ("Follow up to r1894937: Fix setting of empty value.") r1895054 ("Follow up to r1894937: Always eat

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Hi, On Sat, Sep 03, 2022 at 03:31:15PM +0200, Steinar H. Gunderson wrote: > On Fri, Aug 26, 2022 at 09:07:06PM +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for libapreq2. > > > > CVE-2022-22728[0]: > > | A flaw in Apache libapreq2 versions 2.16 and earlier

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

On Fri, Aug 26, 2022 at 09:07:06PM +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for libapreq2. > > CVE-2022-22728[0]: > | A flaw in Apache libapreq2 versions 2.16 and earlier could cause a > | buffer overflow while processing multipart form uploads. A remote > |

Bug#1018191: libapreq2: CVE-2022-22728: multipart form parse memory corruption

Source: libapreq2 Version: 2.13-7 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libapreq2. CVE-2022-22728[0]: | A flaw in Apache libapreq2 versions 2.16 and earlier could cause a | buffer