Bug 700390 (CVE-2011-1755)

Summary: CVE-2011-1755 jabberd: DoS via the XML "billion laughs attack"
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: cperry, dmaphy, jpazdziora, jskrabal, mzazrivec, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jabberd 2.2.14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 15:35:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 709794, 709795, 709796    
Bug Blocks: 712910    
Attachments:
Description Flags
Proposed patch from Tomasz Sterna of jabberd2 upstream
none
Corrrected previously added patch. Correction by Jamie Strandboge of Ubuntu.
none
upstream patch none

Description Jan Lieskovsky 2011-04-28 09:49:04 UTC 
jabberd2, when expat is used, do not properly detect recursion
during entity expansion, which allows context-dependent attackers
to cause a denial of service (memory and CPU consumption) via a
crafted XML document containing a large number of nested entity
references, aka the "billion laughs attack." 

References:
[1] http://en.wikipedia.org/wiki/Billion_laughs
[2] http://www.webcitation.org/5wwJidGdh
Comment 1 Jan Lieskovsky 2011-04-28 09:51:45 UTC 
This issue affects the versions of the jabberd package, as present
within EPEL-5 and EPEL-6 repositories.

This issue affects the versions of the jabberd package, as shipped
with Fedora release of 13 and 14.
Comment 4 Jan Lieskovsky 2011-04-28 13:10:29 UTC 
The CVE identifier of CVE-2011-1755 has been assigned to this issue.
Comment 6 Jan Lieskovsky 2011-05-04 08:50:46 UTC 
Created attachment 496732 [details]
Proposed patch from Tomasz Sterna of jabberd2 upstream
Comment 7 Jan Lieskovsky 2011-05-04 08:52:41 UTC 
And relevant correction from Jamie Strandboge of Ubuntu Security Team
regarding the patch in previous comment (updated patch version also
attached in next comment):

> Great to hear that!
> In the meantime I reached Tomasz Sterna who provided a patch for jabberd2
> (attached).

There is a typo in the jabberd2 patch I discovered while backporting it
to 2.0s11. The patch has this:

+#if XML_MAJOR_VERSION > 0
+/* XML_StopParser is present in expat 2.x */
+#define HAVE_XML_STOPPARSER
+#endif
+

So the check and the comment don't go together, and indeed, according to
the changelog, 2.0s11 has expat 1.95.7. This should obviously be changed
to '#if XML_MAJOR_VERSION > 1'.

Attached is a lightly tested patch with this change along with massaging
for 2.0s11. Using the reproducer, I see the patch is working via the c2s
log:
Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] connect
Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] error: Stream error (Expected stream start)
Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] disconnect

Prior to the update, c2s would not disconnect and be DoSd.

-- 
Jamie Strandboge | http://www.canonical.com
Comment 8 Jan Lieskovsky 2011-05-04 08:53:59 UTC 
Created attachment 496733 [details]
Corrrected previously added patch. Correction by Jamie Strandboge of Ubuntu.
Comment 9 Jan Lieskovsky 2011-05-10 16:09:06 UTC 
(In reply to comment #7)
> There is a typo in the jabberd2 patch I discovered while backporting it
> to 2.0s11. The patch has this:
> 
> +#if XML_MAJOR_VERSION > 0
> +/* XML_StopParser is present in expat 2.x */
> +#define HAVE_XML_STOPPARSER
> +#endif
> +
> 
> So the check and the comment don't go together, and indeed, according to
> the changelog, 2.0s11 has expat 1.95.7. This should obviously be changed
> to '#if XML_MAJOR_VERSION > 1'.
> 

Reply from Tomasz Sterna of jabberd2 upstream regarding the above:
==================================================================
Dnia 2011-05-04, śro o godzinie 05:13 -0400, Red Hat Security Response
Team pisze:
> To Tomasz Sterna regarding the small issue with the jabberd2 patch,
> Jamie mentioned earlier -- Tomas could you comment if you (jabberd2
> upstream is OK with the updated patch version) and that being the
> one intended to be applied by jabberd2 upstream?

It's hard to verify, because Expat documentation is non-existant, but
assuming the comment that the XML_StopParser() function is present in
2.x release of Expat, I'm going to release the updated patch with:

#if XML_MAJOR_VERSION > 1

-- 
Tomasz Sterna
Instant Messaging Consultant : Open Source Developer
http://tomasz.sterna.tv/ http://www.xiaoka.com/
Comment 10 Vincent Danen 2011-06-01 16:24:54 UTC 
This is now public with the fixed 2.2.14 version:

http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog
Comment 11 Vincent Danen 2011-06-01 16:26:53 UTC 
Created jabberd tracking bugs for this issue

Affects: epel-5 [bug 709794]
Affects: epel-6 [bug 709795]
Affects: fedora-all [bug 709796]
Comment 12 Vincent Danen 2011-06-01 16:39:04 UTC 
Created attachment 502318 [details]
upstream patch

Taken from the upstream svn repository (r937 is the commit to fix the flaw).
Comment 13 Dominic Hopf 2011-06-02 13:20:33 UTC 
Thanks very much for reporting this issue and the great preliminary support! I've updated jabberd to 2.2.14 in Rawhide, F15, F14 and EPEL-6. For F13 and EPEL-5, I backported the fix. Any concerning update can be found here:

https://admin.fedoraproject.org/updates/search/CVE-2011-1755


Feel free to test those updates and may also give some karma. :)
Comment 14 Dominic Hopf 2011-06-13 15:30:41 UTC 
Updates are stable in the meanwhile for almost all branches if I see correctly. What's the proper procedure to proceed with this bug? Am I able to close this issue with the stable updates?
Comment 15 Jan Lieskovsky 2011-06-13 15:58:54 UTC 
Hi, Dominic,

  thank you for checking with us.

(In reply to comment #14)
> Updates are stable in the meanwhile for almost all branches if I see correctly.
> What's the proper procedure to proceed with this bug? Am I able to close this
> issue with the stable updates?

This bug will be closed by Red Hat Security Response Team member once the issue
has been addressed in all affected products (there is yet one Red Hat specific
unfixed one). Once that one has addressed the issue too, we will close this entry.

Hope this helps. Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 16 Jan Lieskovsky 2011-06-16 12:37:55 UTC 
This issue affects the versions of the jabberd package, as shipped with
Red Hat Network Satellite Server version 5.0.2, 5.1.1, 5.2.1, 5.3.0, and 5.4.0.

--

This issue affects the versions of the jabberd package, as shipped with
Red Hat Network Proxy Server version 5.0.2, 5.1.1, 5.2.1, 5.3.0, and 5.4.0.
Comment 17 Jan Lieskovsky 2011-06-16 12:46:15 UTC 
Statement:

Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned
to be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.2, 5.1.1, 5.2.1, and 5.3.0.
Comment 18 errata-xmlrpc 2011-06-16 19:21:41 UTC 
This issue has been addressed in following products:

  Red Hat Network Proxy v 5.4

Via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html
Comment 19 errata-xmlrpc 2011-06-16 19:34:47 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html
Comment 20 bilal 2023-06-20 09:14:40 UTC Comment hidden (spam)
Comment 21 bilal 2025-03-17 08:58:59 UTC Comment hidden (spam)
Comment 22 bilal 2025-07-16 11:29:21 UTC Comment hidden (spam)