Re: CVE-2022-22728: libapreq2: libapreq2 multipart form parse memory corruption

[John Helmert III <ajak () gentoo org>]

On Mon, Jan 02, 2023 at 12:51:04PM +0100, Arnout Engelen wrote:
> On Sat, Dec 31, 2022 at 6:42 PM John Helmert III <ajak () gentoo org> wrote:
> > On Sat, Dec 31, 2022 at 10:54:00AM +0100, Arnout Engelen wrote:
> > > On Fri, Dec 30, 2022 at 10:54 PM John Helmert III <ajak () gentoo org> wrote:
> > > > On Thu, Dec 29, 2022 at 10:50:26AM +0100, Salvatore Bonaccorso wrote:
> > > > > On Fri, Aug 26, 2022 at 11:01:23AM -0500, John Helmert III wrote:
> > > > > > On Thu, Aug 25, 2022 at 02:09:16PM +0000, Joe Orton wrote:
> > > > > > > A flaw in libapreq2 versions 2.16 and earlier could cause a buffer
> > > > > > > overflow while processing multipart form uploads.
> > > > > >
> > > > > > Is there a fixed version or patch or upstream issue?
> > >
> > > libapreq2 2.17 was released on the same day as the advisory describing
> > > the problem with 2.16 and earlier (https://httpd.apache.org/apreq/).
> >
> > Does it fix CVE-2022-22728? Whether or not it does isn't clear from
> > the changelog [1], and I can't find a reference to the CVE elsewhere
> > in the source tree.
>
> I think https://svn.apache.org/viewvc?view=revision&revision=1894937
> contained the fix for this issue. This is included in 2.17.

Great! Can you add that as a reference to the CVE and note the fixed
version in the description? Ideally, please also do this for future
CVEs/advisories too, so remediation is clear to everyone.

> Kind regards,
>
> Arnout

Attachment: signature.asc
Description: