Bug 1506532 (CVE-2017-12618)

Summary: CVE-2017-12618 apr-util: Out-of-bounds access in corrupted SDBM database
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmaxwell, bojan, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, gzaronik, jawilson, jclere, jdoyle, jkaluza, jondruse, jorton, jshepherd, lgao, luhliari, mbabacek, mturk, myarboro, ppalaga, pslavice, rnetuka, rstancel, rsvoboda, slawomir, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apr-util 1.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:57:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1506535, 1506922, 1506923    
Bug Blocks: 1506539    

Description Andrej Nemec 2017-10-26 09:39:32 UTC 
Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to validate the integrity of SDBM database files used by apr_sdbm*() functions, resulting in a possible out of bound read access. A local user with write access to the database can make a program or process using these functions crash, and cause a denial of service.

External References:

http://www.apache.org/dist/apr/Announcement1.x.html
Comment 1 Andrej Nemec 2017-10-26 09:40:11 UTC 
Created apr-util tracking bugs for this issue:

Affects: fedora-all [bug 1506535]
Comment 7 Joshua Padman 2019-08-06 04:24:30 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Core Services

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.