CVE-2017-12613

NameCVE-2017-12613
DescriptionWhen apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and prior, out of bounds memory may be accessed in converting this value to an apr_time_exp_t value, potentially revealing the contents of a different static heap value or resulting in program termination, and may represent an information disclosure or denial of service vulnerability to applications which call these APR functions with unvalidated external input.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1162-1, DLA-2897-1, ELA-549-1
Debian Bugs879708

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
apr (PTS)jessie, jessie (lts)1.5.1-3+deb8u1fixed
stretch (security), stretch (lts), stretch1.5.2-5+deb9u1fixed
buster1.6.5-1fixed
bullseye (security), bullseye1.7.0-6+deb11u2fixed
bookworm1.7.2-3+deb12u1fixed
sid, trixie1.7.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aprsourcewheezy1.4.6-3+deb7u2DLA-1162-1
aprsourcejessie1.5.1-3+deb8u1ELA-549-1
aprsourcestretch1.5.2-5+deb9u1DLA-2897-1
aprsource(unstable)1.6.3-1low879708

Notes

[jessie] - apr <no-dsa> (Minor issue)
mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a

Search for package or bug name: Reporting problems