Bug 888755

Summary: mod_dav_svn: unrestricted internal XML entities expansion
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: subversionAssignee: Joe Orton <jorton>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: dmoppert, fweimer, jorton, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subversion-1.9.5-1.fc25 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 15:47:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 888729    

Description Florian Weimer 2012-12-19 12:23:11 UTC
In subversion 1.7.7 in tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the following code:

      ctx->xmlp = XML_ParserCreate(NULL);
      apr_pool_cleanup_register(r->pool, ctx->xmlp,
                                clean_up_parser,
                                apr_pool_cleanup_null);
      XML_SetUserData(ctx->xmlp, ctx);
      XML_SetElementHandler(ctx->xmlp, start_element, end_element);
      XML_SetCharacterDataHandler(ctx->xmlp, cdata);

This doesn't disable entity expansion for the internal DTD subset, so there is a denial-of-service vector ("billion laughs attack").  I'm marking this as a security bug because it probably allows to crash Apache or trigger the kernel OOM handler.  This should probably be fixed in coordination with Subversion upstream.

Adding the following handler using

  XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);

should be sufficient to address this issue.

// Stop the parser when an entity declaration is encountered.
static void
EntityDeclHandler(void *userData,
		  const XML_Char *entityName, int is_parameter_entity,
		  const XML_Char *value, int value_length,
		  const XML_Char *base, const XML_Char *systemId,
		  const XML_Char *publicId, const XML_Char *notationName)
{
  XML_StopParser((XML_Parser)userData, XML_FALSE);
}

Comment 1 Florian Weimer 2012-12-19 12:24:22 UTC
The Expat parser creation in subversion/libsvn_ra_serf/util.c and subversion/libsvn_subr/xml.c should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern.

Comment 2 Jan Kurik 2015-12-22 11:34:53 UTC
This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide.

Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016.

Comment 3 Florian Weimer 2016-04-23 15:51:55 UTC
Still present in rawhide.

Comment 4 Peter Robinson 2016-05-08 16:53:18 UTC
Florian is there a patch for this issue?

Comment 5 Florian Weimer 2016-05-09 07:41:54 UTC
(In reply to Peter Robinson from comment #4)
> Florian is there a patch for this issue?

I don't think so.  I reported it upstream here because I wasn't able to file a JIRA issue:

  <https://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/%3C87h9ernqse.fsf@mid.deneb.enyo.de%3E>

Apache JIRA has been opened up again, so I filed a proper JIRA issue for this.

Comment 6 Jan Kurik 2016-07-26 04:26:15 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 7 Doran Moppert 2016-12-29 05:39:26 UTC
This flaw was assigned CVE-2016-8734 which now has tracking bug 1399871.

Comment 9 Joe Orton 2017-01-03 11:59:53 UTC
Package: subversion-1.9.5-1.fc25
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=830879

Comment 10 Joe Orton 2017-07-06 15:47:03 UTC

*** This bug has been marked as a duplicate of bug 1399871 ***