oss-sec mailing list archives
Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption
From: John Helmert III <ajak () gentoo org>
Date: Sat, 31 Dec 2022 11:42:45 -0600
On Sat, Dec 31, 2022 at 10:54:00AM +0100, Arnout Engelen wrote:
On Fri, Dec 30, 2022 at 10:54 PM John Helmert III <ajak () gentoo org> wrote:On Thu, Dec 29, 2022 at 10:50:26AM +0100, Salvatore Bonaccorso wrote:On Fri, Aug 26, 2022 at 11:01:23AM -0500, John Helmert III wrote:On Thu, Aug 25, 2022 at 02:09:16PM +0000, Joe Orton wrote:A flaw in libapreq2 versions 2.16 and earlier could cause a buffer overflow while processing multipart form uploads.Is there a fixed version or patch or upstream issue?libapreq2 2.17 was released on the same day as the advisory describing the problem with 2.16 and earlier (https://httpd.apache.org/apreq/).
Does it fix CVE-2022-22728? Whether or not it does isn't clear from the changelog [1], and I can't find a reference to the CVE elsewhere in the source tree. [1] https://svn.apache.org/repos/asf/httpd/apreq/trunk/CHANGES
Kind regards, Arnout
Attachment:
signature.asc
Description:
Current thread:
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Salvatore Bonaccorso (Dec 29)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption John Helmert III (Dec 30)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Arnout Engelen (Dec 31)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption John Helmert III (Dec 31)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Arnout Engelen (Dec 31)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption John Helmert III (Dec 30)