StarlingX

[Debian] CVE: CVE-2022-25147: apr-util: Integer Overflow or Wraparound vulnerability

Bug #2009333 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2022-25147: https://nvd.nist.gov/vuln/detail/CVE-2022-25147

Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-25147 fixed 9.8 N L N N H

References:
['libaprutil1_1.6.1-5_amd64.deb===>libaprutil1_1.6.1-5+deb11u1_amd64.deb', 'libaprutil1-dbd-sqlite3_1.6.1-5_amd64.deb===>libaprutil1-dbd-sqlite3_1.6.1-5+deb11u1_amd64.deb', 'libaprutil1-ldap_1.6.1-5_amd64.deb===>libaprutil1-ldap_1.6.1-5+deb11u1_amd64.deb']

CVE References

Yue Tao (wrytao)
Changed in starlingx:
importance: Undecided → High
status: New → Confirmed
information type: Public → Public Security
tags: added: stx.9.0 stx.security
Yue Tao (wrytao)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/877101

Changed in starlingx:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/877101
Committed: https://opendev.org/starlingx/tools/commit/b9fc758861d073887ef11ec9079e20c105a39a92
Submitter: "Zuul (22348)"
Branch: master

commit b9fc758861d073887ef11ec9079e20c105a39a92
Author: Peng <email address hidden>
Date: Fri Mar 10 21:06:20 2023 +0800

    Debian:libaprutil1:fix CVE-2022-25147

    Upgrade libaprutil1,libaprutil1,libaprutil1-ldap to the version that
    CVE-2022-25147 have been fixed:

    libaprutil1_1.6.1-5_amd64.deb to
    libaprutil1_1.6.1-5+deb11u1_amd64.deb
    libaprutil1-dbd-sqlite3_1.6.1-5_amd64.deb to
    libaprutil1-dbd-sqlite3_1.6.1-5+deb11u1_amd64.deb
    libaprutil1-ldap_1.6.1-5_amd64.deb to
    libaprutil1-ldap_1.6.1-5+deb11u1_amd64.deb

    This commit fixes Integer Overflow or Wraparound vulnerability in
    apr_base64 functions of Apache Portable Runtime Utility (APR-util) to
    avoid an attacker writing beyond bounds of a buffer.

    (Refer to https://security-tracker.debian.org/tracker/CVE-2022-25147)

    Test plan:
    PASS: build-pkgs --clean --all && build-image

    Closes-bug: 2009333
    Signed-off-by: Peng <email address hidden>
    Change-Id: I139b3d51df946004da3041f7e6438a475204bbff

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.