Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption

[Salvatore Bonaccorso <carnil () debian org>]

Hi Arnout,

On Mon, Jan 02, 2023 at 12:51:04PM +0100, Arnout Engelen wrote:
> On Sat, Dec 31, 2022 at 6:42 PM John Helmert III <ajak () gentoo org> wrote:
> > On Sat, Dec 31, 2022 at 10:54:00AM +0100, Arnout Engelen wrote:
> > > On Fri, Dec 30, 2022 at 10:54 PM John Helmert III <ajak () gentoo org> wrote:
> > > > On Thu, Dec 29, 2022 at 10:50:26AM +0100, Salvatore Bonaccorso wrote:
> > > > > On Fri, Aug 26, 2022 at 11:01:23AM -0500, John Helmert III wrote:
> > > > > > On Thu, Aug 25, 2022 at 02:09:16PM +0000, Joe Orton wrote:
> > > > > > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer
> > > > > > > overflow while processing multipart form uploads.
> > > > > >
> > > > > > Is there a fixed version or patch or upstream issue?
> > >
> > > libapreq2 2.17 was released on the same day as the advisory describing
> > > the problem with 2.16 and earlier (https://httpd.apache.org/apreq/).
> >
> > Does it fix CVE-2022-22728? Whether or not it does isn't clear from
> > the changelog [1], and I can't find a reference to the CVE elsewhere
> > in the source tree.
>
> I think https://svn.apache.org/viewvc?view=revision&revision=1894937
> contained the fix for this issue. This is included in 2.17.

Thank you!

So apart https://svn.apache.org/r1894937 one would probably as well
need

https://svn.apache.org/r1894940 (non-functional change)
https://svn.apache.org/r1894977

and

https://svn.apache.org/r1895054

Regards,
Salvatore