### Apache mod_dav / svn Remote Denial of Service Exploit ### by kcope / June 2009 ### ### Will exhaust all system memory ### Needs Authentication on normal DAV ### ### This can be especially serious stuff when used against ### svn (subversion) servers!! Svn might let the PROPFIND slip through ### without authentication. bwhahaaha :o) ### use at your own risk! See $URL. Filing this as UNCONFIRMED for now.
The issue exists in apr-util. While parsing XML, the processing of recursive entity definitions is not limited.
*** Bug 272444 has been marked as a duplicate of this bug. ***
Created attachment 193426 [details, diff] Backported patch from Apache SVN This patch disables the parsing of entity declarations, as applied to trunk in upstream SVN.
dev-libs/apr-1.3.5 was released on 2009-06-05. dev-libs/apr-util-1.3.7 was released on 2009-06-05.
====================================================== Name: CVE-2009-1955 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955 The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564.
dev-libs/apr-1.3.5 and dev-libs/apr-util-1.3.7 are now in the tree.
Arches, please test and mark stable: =dev-libs/apr-1.3.5 =dev-libs/apr-util-1.3.7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Current stable Subversion 1.5.6 errors out with this apr-util: checking for availability of Berkeley DB... no configure: error: Berkeley DB 4.0.14 wasn't found. Portage 2.1.6.13 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.29-gentoo-r5 i686) ================================================================= System uname: Linux-2.6.29-gentoo-r5-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-glibc2.0 Timestamp of tree: Tue, 09 Jun 2009 06:00:02 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 2.1.7 dev-lang/python: 2.4.6, 2.5.4-r2 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.6.4 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_EN.UTF8" LDFLAGS="-Wl,--as-needed" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X acl acpi alsa apache apache2 apm bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli cracklib crypt css cups curl dbus directfb dri dvd dvdr dvdread dvi eds emacs emboss encode escreen esd evo fam fat fbcon fbcondecor ffmpeg firefox foomatic fortran gdbm gif gnome gpm gstreamer gtk hal iconv imlib ipv6 isdnlog jadetex jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad midi mikmod mmx mp3 mpeg mudflap musicbrainz ncurses nls nptl nptl-only nptlonly ntfs ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3 qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora tiff toolkit-scroll-bars truetype unicode usb userlocales vorbis win32codecs wmf x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #8) > Current stable Subversion 1.5.6 errors out with this apr-util: > > checking for availability of Berkeley DB... no > configure: error: Berkeley DB 4.0.14 wasn't found. And no, remerging apr-util does not solve the problem. A downgrade works perfect though, I have the following slots of sys-libs/db installed: 4.2.52_p5-r1(4.2) 4.3.29_p1-r1(4.3) 4.5.20_p2-r1(4.5) 4.6.21_p4(4.6) config.log says: configure:21492: i686-pc-linux-gnu-gcc -o conftest -O2 -march=i686 -pipe -fno-strict-aliasing -pthread -D_LARGEFILE64_SOURCE -DNE_LFS -I/usr/include/apr-1 -I/usr/include/db4 .6 -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -I/usr/include/apr-1 -I/usr/include/apr-1 -I/usr/include/db4.6 -Wl,--as-needed -L/usr/lib conftest.c -L/us r/lib -lldap -llber -llber -lexpat >&5 /var/tmp/portage/dev-util/subversion-1.5.6/temp/ccaQxDVP.o: In function `main': conftest.c:(.text+0x26): undefined reference to `db_version' collect2: ld returned 1 exit status configure:21496: $? = 1 configure: program exited with status 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "subversion" | #define PACKAGE_TARNAME "subversion" | #define PACKAGE_VERSION "1.5.6" | #define PACKAGE_STRING "subversion 1.5.6" | #define PACKAGE_BUGREPORT "http://subversion.tigris.org/" | #define SVN_NEON_0_26 1 | #define SVN_NEON_0_27 1 | #define SVN_NEON_0_28 1 | #define SVN_HAVE_NEON 1 | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define SVN_BINDIR "/usr/bin" | #define SVN_LOCALE_DIR "/usr/share/locale" | #define HAVE_DLFCN_H 1 | /* end confdefs.h. */ | | #include <stdlib.h> | #define APU_WANT_DB | #include <apu_want.h> | | int main () | { | int major, minor, patch; | | db_version (&major, &minor, &patch); | | /* Sanity check: ensure that db.h constants actually match the db library */ | if (major != DB_VERSION_MAJOR | || minor != DB_VERSION_MINOR | || patch != DB_VERSION_PATCH) | exit (1); | | /* Run-time check: ensure the library claims to be the correct version. */ | | if (major < 4) | exit (1); | if (major > 4) | exit (0); | | if (minor < 0) | exit (1); | if (minor > 0) | exit (0); | | if (patch >= 14) | exit (0); | else | exit (1); | } | configure:21533: result: no configure:21537: error: Berkeley DB 4.0.14 wasn't found.
(In reply to comment #8) > Current stable Subversion 1.5.6 errors out with this apr-util: > > checking for availability of Berkeley DB... no > configure: error: Berkeley DB 4.0.14 wasn't found. Subversion 1.6.* contains improved manual detection of Berkeley DB. Subversion 1.6.2 will be stabilized in bug #273304.
Is the subversion incompatibility just a compile-time issue? Or will upgrading apr-util in a subversion 1.5.6 setup break subversion?
(In reply to comment #11) > Is the subversion incompatibility just a compile-time issue? Or will upgrading > apr-util in a subversion 1.5.6 setup break subversion? This reads to me like a compile-thing only.
Sparc briefly on hold because of Bug #273304 --- sparc keywords were dropped from subversion -1.6.2 versions, probably because of sqlite problems. We now have a usable version of sqlite-3.6.14.2, and I am verifying the latest subversions against it. For us to finish this bug, we'll have to mark sqlite-3.6.14.2 stable and then fast-stable subversion.
Stable for HPPA.
(In reply to comment #11) > Is the subversion incompatibility just a compile-time issue? Yes. (In reply to comment #13) > Sparc briefly on hold because of Bug #273304 --- sparc keywords were dropped > from subversion -1.6.2 versions, probably because of sqlite problems. It was due to bug #263337.
x86 stable
amd64 stable
Stable on alpha.
arm/ia64/s390/sh/sparc stable
ppc64 done
ppc done
GLSA request filed.
GLSA 200907-03
