Bug 1397403 (CVE-2016-8734)

Summary: CVE-2016-8734 subversion: unrestricted XML entity expansion in mod_dontdothat and Subversion clients using http(s)://
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmoppert, jorton, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: subversion 1.8.17, subversion 1.9.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-29 23:39:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1399871    
Bug Blocks: 1397404    
Attachments:
Description Flags
CVE-2016-8734-1.8.16.patch
none
CVE-2016-8734-1.9.4.patch none

Description Martin Prpič 2016-11-22 13:04:31 UTC
It was discovered that Subversion's mod_dontdothat module and Subversion clients using http(s):// are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. 

An authenticated remote attacker can cause denial-of-service conditions on the server using mod_dontdothat by sending a specially crafted REPORT request. The attack does not require access to a particular repository.

If an attacker has control over HTTP responses sent to a Subversion client, they can cause denial-of-service conditions on the client by injecting an XML bomb into the response.

Upstream bug:

https://issues.apache.org/jira/browse/SVN-4630

Comment 1 Martin Prpič 2016-11-22 13:04:36 UTC
Acknowledgments:

Name: Florian Weimer (Red Hat)

Comment 3 Martin Prpič 2016-11-22 13:07:13 UTC
Created attachment 1222728 [details]
CVE-2016-8734-1.8.16.patch

Comment 4 Martin Prpič 2016-11-22 13:07:16 UTC
Created attachment 1222729 [details]
CVE-2016-8734-1.9.4.patch

Comment 5 Doran Moppert 2016-11-25 03:35:08 UTC
There are two parts to this vulnerability:  server-side and client-side.

The client side vulnerability only affects subversion when built with the Serf WebDav library, not with the Neon WebDav library. Subversion for Red Hat Enterprise Linux 5, 6 and 7 is built with Neon, so it is not affected by the client-side vulnerability.

The server side vulnerability exists in mod_dontdothat, which was only moved from contrib into the standard release in subversion 1.7.3.  Red Hat Enterprise Linux 5 and 6 do not build or ship mod_dontdothat.

Comment 6 Doran Moppert 2016-11-25 04:56:09 UTC
Mitigation:

Only Apache+Subversion servers that have the "DontDoThatConfigFile" configuration option present are affected by this flaw. This option is not enabled in default httpd or mod_dav_svn configuration as shipped with Red Hat Enterprise Linux.

Comment 8 Doran Moppert 2016-11-29 23:39:33 UTC
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1399871]