CVE-2017-12613

NameCVE-2017-12613
DescriptionWhen apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1162-1
NVD severitylow (attack range: local)
Debian Bugs879708

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apr (PTS)jessie1.5.1-3vulnerable
stretch1.5.2-5vulnerable
buster, sid1.6.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aprsource(unstable)1.6.3-1low879708
aprsourcewheezy1.4.6-3+deb7u2lowDLA-1162-1

Notes

[stretch] - apr <no-dsa> (Minor issue)
[jessie] - apr <no-dsa> (Minor issue)
mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a

Search for package or bug name: Reporting problems