Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service).
1) A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.
2) A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library.
3) An off-by-one error within the "apr_brigade_vprintf()" function in buckets/apr_brigade.c can be exploited to disclose potentially sensitive information or crash an application using the library.
Successful exploitation may require a big-endian system.
Solution: Update to version 0.9.17 or 1.3.7.
Provided and/or discovered by: 1) kcope
2) Matthew Palmer
3) C. Michael Pilato
Original Advisory: http://www.apache.org/dist/apr/CHANGES-APR-UTIL-1.3
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org