On Wed, Nov 01, 2017 at 01:07:34PM +0100, Rainer Jung wrote: > Am 01.11.2017 um 12:22 schrieb Stefan Sperling: > > On Mon, Oct 23, 2017 at 01:27:59PM -0500, William A Rowe Jr wrote: > > > CVE-2017-12618; Out-of-bounds access in corrupted SDBM database. > > > > > > APR-util 1.6.0 and prior failed to validate the integrity of SDBM > > > database files used by apr_sdbm*() functions, resulting in a > > > possible out of bound read access. A local user with write access > > > to the database can make a program or process using these functions > > > crash, and cause a denial of service. > > > > I am looking for the patch which fixed the above issue. > > > > Where can I find it? > > > > Was it r1809394? All of it? Some of it? > > > > Rationale: APR-util 1.6.3 added a shared library symbol: > > > > No dynamic export changes > > PLT added: > > apr_xml_parser_done > > > > I want to figure out a way to patch this security issue in > > OpenBSD 6.2-stable, without changing unrelated library symbols. > > Yes, it should be r1809394 or even better the 1.6.x backport r1809395. > > Regards, > > Rainer
Thank you, Rainer. I have committed this fix to OpenBSD.
