CVE-2009-0023

Name of the Vulnerable Software and Affected Versions Apache APR-util versions prior to 1.3.5

Description The issue allows remote attackers to cause a denial of service (daemon crash) via crafted input involving a .htaccess file used with the Apache HTTP Server, the SVNMasterURI directive in the mod dav svn module in the Apache HTTP Server, the mod apreq2 module for the Apache HTTP Server, or an application that uses the libapreq2 library, which triggers a heap-based buffer underflow. A heap-based underwrite flaw was found in the way the bundled copy of the APR-util library created compiled forms of particular search patterns. An attacker could formulate a specially-crafted search keyword, that would overwrite arbitrary heap memory locations when processed by the pattern preparation engine.

Recommendations For Apache APR-util versions prior to 1.3.5, update to version 1.3.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the apr strmatch precompile function until a patch is available. Avoid using crafted search keywords in applications that utilize the libapreq2 library until the issue is resolved.