oss-sec mailing list archives

Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption

From: John Helmert III <ajak () gentoo org>
Date: Sat, 31 Dec 2022 11:42:45 -0600

On Sat, Dec 31, 2022 at 10:54:00AM +0100, Arnout Engelen wrote:

On Fri, Dec 30, 2022 at 10:54 PM John Helmert III <ajak () gentoo org> wrote:

On Thu, Dec 29, 2022 at 10:50:26AM +0100, Salvatore Bonaccorso wrote:

On Fri, Aug 26, 2022 at 11:01:23AM -0500, John Helmert III wrote:

On Thu, Aug 25, 2022 at 02:09:16PM +0000, Joe Orton wrote:

A flaw in libapreq2 versions 2.16 and earlier could cause a buffer
overflow while processing multipart form uploads.


Is there a fixed version or patch or upstream issue?


libapreq2 2.17 was released on the same day as the advisory describing
the problem with 2.16 and earlier (https://httpd.apache.org/apreq/).


Does it fix CVE-2022-22728? Whether or not it does isn't clear from
the changelog [1], and I can't find a reference to the CVE elsewhere
in the source tree.

[1] https://svn.apache.org/repos/asf/httpd/apreq/trunk/CHANGES


Kind regards,

Arnout

Attachment: signature.asc
Description:

Current thread:

Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Salvatore Bonaccorso (Dec 29)
- Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption John Helmert III (Dec 30)
  - Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption Arnout Engelen (Dec 31)
    - Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption John Helmert III (Dec 31)