Bug 888755
| Summary: | mod_dav_svn: unrestricted internal XML entities expansion | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
| Component: | subversion | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | dmoppert, fweimer, jorton, security-response-team |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | subversion-1.9.5-1.fc25 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-07-06 15:47:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 888729 | ||
The Expat parser creation in subversion/libsvn_ra_serf/util.c and subversion/libsvn_subr/xml.c should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern. This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide. Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016. Still present in rawhide. Florian is there a patch for this issue? (In reply to Peter Robinson from comment #4) > Florian is there a patch for this issue? I don't think so. I reported it upstream here because I wasn't able to file a JIRA issue: <https://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/%3C87h9ernqse.fsf@mid.deneb.enyo.de%3E> Apache JIRA has been opened up again, so I filed a proper JIRA issue for this. This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'. This flaw was assigned CVE-2016-8734 which now has tracking bug 1399871. Package: subversion-1.9.5-1.fc25 Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=830879 *** This bug has been marked as a duplicate of bug 1399871 *** |
In subversion 1.7.7 in tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the following code: ctx->xmlp = XML_ParserCreate(NULL); apr_pool_cleanup_register(r->pool, ctx->xmlp, clean_up_parser, apr_pool_cleanup_null); XML_SetUserData(ctx->xmlp, ctx); XML_SetElementHandler(ctx->xmlp, start_element, end_element); XML_SetCharacterDataHandler(ctx->xmlp, cdata); This doesn't disable entity expansion for the internal DTD subset, so there is a denial-of-service vector ("billion laughs attack"). I'm marking this as a security bug because it probably allows to crash Apache or trigger the kernel OOM handler. This should probably be fixed in coordination with Subversion upstream. Adding the following handler using XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler); should be sufficient to address this issue. // Stop the parser when an entity declaration is encountered. static void EntityDeclHandler(void *userData, const XML_Char *entityName, int is_parameter_entity, const XML_Char *value, int value_length, const XML_Char *base, const XML_Char *systemId, const XML_Char *publicId, const XML_Char *notationName) { XML_StopParser((XML_Parser)userData, XML_FALSE); }