CVE-2009-2412
Published: 6 August 2009
Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. NOTE: some of these details are obtained from third party information.
Notes
| Author | Note |
|---|---|
| jdstrand | apache2 on hardy and higher uses system apr and apr-util |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
apache2 Launchpad, Ubuntu, Debian |
dapper |
Released
(2.0.55-4ubuntu2.7)
|
| hardy |
Not vulnerable
|
|
| intrepid |
Not vulnerable
|
|
| jaunty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
|
apr Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(1.2.11-1ubuntu0.1)
|
|
| intrepid |
Released
(1.2.12-4ubuntu0.1)
|
|
| jaunty |
Released
(1.2.12-5ubuntu0.1)
|
|
| upstream |
Released
(1.3.8-1)
|
|
|
apr-util Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Released
(1.2.12+dfsg-3ubuntu0.2)
|
|
| intrepid |
Released
(1.2.12+dfsg-7ubuntu0.3)
|
|
| jaunty |
Released
(1.2.12+dfsg-8ubuntu0.3)
|
|
| upstream |
Released
(1.3.9+dfsg-1)
|