Rapid7 Vulnerability & Exploit Database

RHSA-2009:1107: apr-util security update

Back to Search

RHSA-2009:1107: apr-util security update



apr-util is a utility library used with the Apache Portable Runtime (APR).It aims to provide a free library of C data structures and routines. Thislibrary contains additional utility interfaces for APR; including supportfor XML, LDAP, database interfaces, URI parsing, and more.An off-by-one overflow flaw was found in the way apr-util processed avariable list of arguments. An attacker could provide a specially-craftedstring as input for the formatted output conversion routine, which could,on big-endian platforms, potentially lead to the disclosure of sensitiveinformation or a denial of service (application crash). (CVE-2009-1956)Note: The CVE-2009-1956 flaw only affects big-endian platforms, such as theIBM S/390 and PowerPC. It does not affect users using the apr-util packageon little-endian platforms, due to their different organization of byteordering used to represent particular data.A denial of service flaw was found in the apr-util Extensible MarkupLanguage (XML) parser. A remote attacker could create a specially-craftedXML document that would cause excessive memory consumption when processedby the XML decoding engine. (CVE-2009-1955)A heap-based underwrite flaw was found in the way apr-util created compiledforms of particular search patterns. An attacker could formulate aspecially-crafted search keyword, that would overwrite arbitrary heapmemory locations when processed by the pattern preparation engine.(CVE-2009-0023)All apr-util users should upgrade to these updated packages, which containbackported patches to correct these issues. Applications using the ApachePortable Runtime library, such as httpd, must be restarted for this updateto take effect.


  • redhat-upgrade-apr-util
  • redhat-upgrade-apr-util-devel
  • redhat-upgrade-apr-util-docs


  • redhat-upgrade-apr-util
  • redhat-upgrade-apr-util-devel
  • redhat-upgrade-apr-util-docs

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center