DescriptionAn out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow
Debian Bugs992789

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apr (PTS)stretch1.5.2-5fixed
bookworm, sid1.7.0-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aprsourcestretch(not affected)
aprsourcebuster(not affected)


[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
The issue exists because the CVE-2017-12613 fix was not carried forward
in the APR 1.7.x branch and hence version 1.7.0 regressed from 1.6.3
and so vulnerable to the same issue.

Search for package or bug name: Reporting problems