CVE-2009-2412

2009-08-0600:00:00

ubuntu.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.11 Low

EPSS

Percentile

95.0%

JSON

Multiple integer overflows in the Apache Portable Runtime (APR) library and
the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow
remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via vectors that trigger crafted calls to
the (1) allocator_alloc or (2) apr_palloc function in
memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc,
(4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in
APR-util; leading to buffer overflows. NOTE: some of these details are
obtained from third party information.

Notes

Author	Note
jdstrand	apache2 on hardy and higher uses system apr and apr-util

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchapache2< 2.0.55-4ubuntu2.7UNKNOWN
ubuntu8.04noarchapr< 1.2.11-1ubuntu0.1UNKNOWN
ubuntu8.10noarchapr< 1.2.12-4ubuntu0.1UNKNOWN
ubuntu9.04noarchapr< 1.2.12-5ubuntu0.1UNKNOWN
ubuntu8.04noarchapr-util< 1.2.12+dfsg-3ubuntu0.2UNKNOWN
ubuntu8.10noarchapr-util< 1.2.12+dfsg-7ubuntu0.3UNKNOWN
ubuntu9.04noarchapr-util< 1.2.12+dfsg-8ubuntu0.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	apache2	< 2.0.55-4ubuntu2.7	UNKNOWN
ubuntu	8.04	noarch	apr	< 1.2.11-1ubuntu0.1	UNKNOWN
ubuntu	8.10	noarch	apr	< 1.2.12-4ubuntu0.1	UNKNOWN
ubuntu	9.04	noarch	apr	< 1.2.12-5ubuntu0.1	UNKNOWN
ubuntu	8.04	noarch	apr-util	< 1.2.12+dfsg-3ubuntu0.2	UNKNOWN
ubuntu	8.10	noarch	apr-util	< 1.2.12+dfsg-7ubuntu0.3	UNKNOWN
ubuntu	9.04	noarch	apr-util	< 1.2.12+dfsg-8ubuntu0.3	UNKNOWN