Bug 888755 - mod_dav_svn: unrestricted internal XML entities expansion
Summary: mod_dav_svn: unrestricted internal XML entities expansion
Keywords:
Status: CLOSED DUPLICATE of bug 1399871
Alias: None
Product: Fedora
Classification: Fedora
Component: subversion
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 888729
TreeView+ depends on / blocked
 
Reported: 2012-12-19 12:23 UTC by Florian Weimer
Modified: 2017-07-06 15:47 UTC (History)
4 users (show)

Fixed In Version: subversion-1.9.5-1.fc25
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-06 15:47:03 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA SVN-4630 0 None None None 2016-05-09 07:41:54 UTC

Description Florian Weimer 2012-12-19 12:23:11 UTC 
In subversion 1.7.7 in tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the following code:

      ctx->xmlp = XML_ParserCreate(NULL);
      apr_pool_cleanup_register(r->pool, ctx->xmlp,
                                clean_up_parser,
                                apr_pool_cleanup_null);
      XML_SetUserData(ctx->xmlp, ctx);
      XML_SetElementHandler(ctx->xmlp, start_element, end_element);
      XML_SetCharacterDataHandler(ctx->xmlp, cdata);

This doesn't disable entity expansion for the internal DTD subset, so there is a denial-of-service vector ("billion laughs attack").  I'm marking this as a security bug because it probably allows to crash Apache or trigger the kernel OOM handler.  This should probably be fixed in coordination with Subversion upstream.

Adding the following handler using

  XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);

should be sufficient to address this issue.

// Stop the parser when an entity declaration is encountered.
static void
EntityDeclHandler(void *userData,
		  const XML_Char *entityName, int is_parameter_entity,
		  const XML_Char *value, int value_length,
		  const XML_Char *base, const XML_Char *systemId,
		  const XML_Char *publicId, const XML_Char *notationName)
{
  XML_StopParser((XML_Parser)userData, XML_FALSE);
}
Comment 1 Florian Weimer 2012-12-19 12:24:22 UTC 
The Expat parser creation in subversion/libsvn_ra_serf/util.c and subversion/libsvn_subr/xml.c should be fixed as well, but these are in the client-side code (I think), and therefore less of a security concern.
Comment 2 Jan Kurik 2015-12-22 11:34:53 UTC 
This bug is currently assigned to an unsupported release. If you think this bug is still valid and should remain open, please re-assign it to a supported release (F22, F23) or to rawhide.

Bugs which will be assigned to an unsupported release are going to be closed as EOL (End Of Life) on January 26th, 2016.
Comment 3 Florian Weimer 2016-04-23 15:51:55 UTC 
Still present in rawhide.
Comment 4 Peter Robinson 2016-05-08 16:53:18 UTC 
Florian is there a patch for this issue?
Comment 5 Florian Weimer 2016-05-09 07:41:54 UTC 
(In reply to Peter Robinson from comment #4)
> Florian is there a patch for this issue?

I don't think so.  I reported it upstream here because I wasn't able to file a JIRA issue:

  <https://mail-archives.apache.org/mod_mbox/subversion-dev/201604.mbox/%3C87h9ernqse.fsf@mid.deneb.enyo.de%3E>

Apache JIRA has been opened up again, so I filed a proper JIRA issue for this.
Comment 6 Jan Kurik 2016-07-26 04:26:15 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 7 Doran Moppert 2016-12-29 05:39:26 UTC 
This flaw was assigned CVE-2016-8734 which now has tracking bug 1399871.
Comment 8 Joe Orton 2017-01-02 13:23:33 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=subversion.git;a=commitdiff;h=8b7160d5aea4d96c746b58621c52fd05382b959f
Comment 9 Joe Orton 2017-01-03 11:59:53 UTC 
Package: subversion-1.9.5-1.fc25
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=830879
Comment 10 Joe Orton 2017-07-06 15:47:03 UTC 

*** This bug has been marked as a duplicate of bug 1399871 ***
Note You need to log in before you can comment on or make changes to this bug.