Am 01.11.2017 um 12:22 schrieb Stefan Sperling:
On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote:
CVE-2017-12618; Out-of-bounds access in corrupted SDBM database.
APR-util 1.6.0 and prior failed to validate the integrity of SDBM
database files used by apr_sdbm*() functions, resulting in a
possible out of bound read access. A local user with write access
to the database can make a program or process using these functions
crash, and cause a denial of service.
I am looking for the patch which fixed the above issue.
Where can I find it?
Was it r1809394? All of it? Some of it?
Rationale: APR-util 1.6.3 added a shared library symbol:
No dynamic export changes
PLT added:
apr_xml_parser_done
I want to figure out a way to patch this security issue in
OpenBSD 6.2-stable, without changing unrelated library symbols.
Yes, it should be r1809394 or even better the 1.6.x backport r1809395.
Regards,
Rainer