CVE-2019-12412: 
Linux Debian vulnerability analysis and mitigation

A vulnerability was discovered in libapreq2 versions 2.07 to 2.13 (CVE-2019-12412) where the multipart parser could dereference a null pointer leading to a process crash. The flaw was introduced in 2005 and affects all versions of libapreq2 that were shipped in various distributions (Debian Bug, Ubuntu Security).

The vulnerability exists in the multipart parser where a NULL pointer dereference occurs when processing nested multipart form submissions. Specifically, when a Content-Type field contains 'multipart/' without a boundary attribute, the createmultipartcontext() function returns NULL, but the code proceeds to dereference this pointer without validation. The vulnerability has a CVSS 3.1 Base Score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu Security).

When exploited, this vulnerability allows a remote attacker to cause a process crash by sending a specially crafted HTTP request, potentially leading to a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity (NVD).

The issue has been fixed by adding a NULL pointer check before dereferencing the context returned by createmultipartcontext(). The fix was committed to the Apache Subversion repository in revision 1866760. Various distributions have released patched versions: Ubuntu has fixed it in multiple releases including 18.04 LTS (2.13-7~deb10u1build0.18.04.1) and 16.04 LTS (2.13-4ubuntu2+esm1) (Ubuntu Security).