After last apr update on Debian 5&6 / i386 for CVE-2011-0419 we observed multiple of our apache servers running 100%+ CPU randomely. We identified function going into an infinite loop to be apr_fnmatch trying to match pattern '/*/WEB-INF/' against any non matching uri. This pattern is matched due to following directive in our .conf: <Location "/*/WEB-INF/"> deny from all </Location> Problem was reproduced with Apache apr-1.4.4 recompiled from sources adding the extra testcase (testfnmatch.c): {"/*/WEB-INF/", "/wontmatch", FAIL}, Problem daesn't exist in apr-1.3.12. Debian patch is apparently a back port of new code in 1.2/1.4 for Deb 5/6 Debian patch info: http://packetstormsecurity.org/files/view/101435/dsa-2237-1.txt Chris
Bug reported to debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=627182
Instead of changing the algorithm, it is better to add recursion limit and set 64 (not bigger). I see only one recursion call inside apr_fnmatch 457 while (apr_dir_read(&finfo, APR_FINFO_NAME, dir) == APR_SUCCESS) { 458 if (apr_fnmatch(pattern, finfo.name, 0) == APR_SUCCESS) { so better limit this call, than change the algorithm.
This is fixed in 1.4.5