Bug 2169652 (CVE-2022-25147)
| Summary: | CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | TEJ RATHI <trathi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aogburn, bdettelb, caswilli, csutherl, gandhi.srini, jburrell, jclere, jkoehler, kaycoth, luhliari, marat.abrarov, mturk, pdelbell, peholase, pjindal, plodge, szappis |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | apr-util 1.6.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Apache Portable Runtime Utility (APR-util) library. This issue may allow a malicious attacker to cause an out-of-bounds write due to an integer overflow when encoding/decoding a very long string using the base64 family of functions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-06-05 18:20:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2169657, 2169658, 2193499, 2196120, 2196568, 2196569, 2196570, 2196571, 2196572, 2196573, 2196574, 2196575, 2196576 | ||
| Bug Blocks: | 2166092 | ||
|
Description
TEJ RATHI
2023-02-14 08:18:07 UTC
References: https://lists.apache.org/thread/np5gjqlohc4f62lr09vrn61vl44cylh8 https://svn.apache.org/viewvc?view=revision&revision=1902206 https://github.com/apache/apr/commit/850cc4f69639ac9f1c1c9767efaf4883ee3217ce Created apr-util tracking bugs for this issue: Affects: fedora-all [bug 2193499] *** Bug 2186440 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:3109 https://access.redhat.com/errata/RHSA-2023:3109 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:3146 https://access.redhat.com/errata/RHSA-2023:3146 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:3145 https://access.redhat.com/errata/RHSA-2023:3145 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:3147 https://access.redhat.com/errata/RHSA-2023:3147 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:3177 https://access.redhat.com/errata/RHSA-2023:3177 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:3178 https://access.redhat.com/errata/RHSA-2023:3178 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:3360 https://access.redhat.com/errata/RHSA-2023:3360 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:3380 https://access.redhat.com/errata/RHSA-2023:3380 This issue has been addressed in the following products: JBCS httpd 2.4.51.sp2 Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-25147 |