medium
6.4
CWE
119 189
Advisory Published
CVE Published
Updated

CVE-2009-1956: Buffer Overflow

First published: Sat Jun 06 2009(Updated: )

A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function. First let's assume the worst case and an attacker can control exactly what is being sent to apr_brigade_vprintf and can trigger this issue by filling the buckets just right so you end up with one that is perfectly full as per the explanation at <a href="http://www.mail-archive.com/dev@apr.apache.org/msg21592.html">http://www.mail-archive.com/dev@apr.apache.org/msg21592.html</a> 632 APU_DECLARE(apr_status_t) apr_brigade_vprintf(apr_bucket_brigade *b, ... 638 struct brigade_vprintf_data_t vd; 639 char buf[APR_BUCKET_BUFF_SIZE]; 640 apr_size_t written; ... 656 *(vd.vbuff.curpos) = '\0'; ... 659 return apr_brigade_write(b, flush, ctx, buf, vd.vbuff.curpos - buf); If we get to line 656 with vd.vbuff.curpos pointing to one past the end of buf we write a single NULL to the next thing on the stack after buf. And on the Linux x86 and x86_64 builds we looked at this is actually the first byte of the vd structure, which is in fact the LSB of vd.vbuff.curpos itself. So the only use of this after the overwrite is on line 659 where vd.vbuff.curpos gets used to calculate how much to write. Before the overwrite vd.vbuff.curpos was buf+APR_BUCKET_BUFF_SIZE (8000), but now it could be between 0 and 255 bytes less. So apr_brigade_write will end up writing out between 0 and 255 bytes less than it ought to, causing the truncation seen in the original bug report. So for little endian systems it doesn't seem to have any security consequence. Of course for a big endian system apr_brigade_write could end up dumping large amounts of memory (so an info disclosure leak or crash).

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
apr-util<=1.3.4
Apache HTTP Server>=2.2.0<2.2.12
Ubuntu=6.06
Ubuntu=8.04
Ubuntu=8.10
Ubuntu=9.04

Remedy

http://svn.apache.org/viewvc?view=rev&revision=768417

Remedy

http://www.openwall.com/lists/oss-security/2009/06/06/1

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=504390

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2009-1956?

    CVE-2009-1956 has a medium severity rating due to the potential for a buffer overflow that could lead to application crashes or execution of arbitrary code.

  • How do I fix CVE-2009-1956?

    To fix CVE-2009-1956, update the Apache APR-util package to version 1.3.5 or higher.

  • What software is affected by CVE-2009-1956?

    CVE-2009-1956 affects Apache APR-util versions up to 1.3.4 and Apache HTTP Server versions between 2.2.0 and 2.2.12.

  • Can CVE-2009-1956 be exploited remotely?

    Yes, CVE-2009-1956 can potentially be exploited remotely if an attacker can control input to the affected functions.

  • Is CVE-2009-1956 present in specific Linux distributions?

    Yes, CVE-2009-1956 is present in specific versions of Ubuntu Linux, including 6.06, 8.04, 8.10, and 9.04.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203