Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 193426 Details for
Bug 272260
<dev-libs/apr-util-1.3.7: XML entity expansion DoS (CVE-2009-1955)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backported patch from Apache SVN
apr-util-entity-expansion.patch (text/plain), 5.28 KB, created by
Alex Legler (RETIRED)
on 2009-06-03 17:05:04 UTC
(
hide
)
Description:
Backported patch from Apache SVN
Filename:
MIME Type:
Creator:
Alex Legler (RETIRED)
Created:
2009-06-03 17:05:04 UTC
Size:
5.28 KB
patch
obsolete
>Patch backported from Apache SVN for bug 272260. > >Index: test/data/billion-laughs.xml >=================================================================== >--- test/data/billion-laughs.xml (revision 0) >+++ test/data/billion-laughs.xml (revision 781409) >@@ -0,0 +1,36 @@ >+<?xml version="1.0"?> >+<!DOCTYPE billion [ >+<!ELEMENT billion (#PCDATA)> >+<!ENTITY laugh0 "ha"> >+<!ENTITY laugh1 "&laugh0;&laugh0;"> >+<!ENTITY laugh2 "&laugh1;&laugh1;"> >+<!ENTITY laugh3 "&laugh2;&laugh2;"> >+<!ENTITY laugh4 "&laugh3;&laugh3;"> >+<!ENTITY laugh5 "&laugh4;&laugh4;"> >+<!ENTITY laugh6 "&laugh5;&laugh5;"> >+<!ENTITY laugh7 "&laugh6;&laugh6;"> >+<!ENTITY laugh8 "&laugh7;&laugh7;"> >+<!ENTITY laugh9 "&laugh8;&laugh8;"> >+<!ENTITY laugh10 "&laugh9;&laugh9;"> >+<!ENTITY laugh11 "&laugh10;&laugh10;"> >+<!ENTITY laugh12 "&laugh11;&laugh11;"> >+<!ENTITY laugh13 "&laugh12;&laugh12;"> >+<!ENTITY laugh14 "&laugh13;&laugh13;"> >+<!ENTITY laugh15 "&laugh14;&laugh14;"> >+<!ENTITY laugh16 "&laugh15;&laugh15;"> >+<!ENTITY laugh17 "&laugh16;&laugh16;"> >+<!ENTITY laugh18 "&laugh17;&laugh17;"> >+<!ENTITY laugh19 "&laugh18;&laugh18;"> >+<!ENTITY laugh20 "&laugh19;&laugh19;"> >+<!ENTITY laugh21 "&laugh20;&laugh20;"> >+<!ENTITY laugh22 "&laugh21;&laugh21;"> >+<!ENTITY laugh23 "&laugh22;&laugh22;"> >+<!ENTITY laugh24 "&laugh23;&laugh23;"> >+<!ENTITY laugh25 "&laugh24;&laugh24;"> >+<!ENTITY laugh26 "&laugh25;&laugh25;"> >+<!ENTITY laugh27 "&laugh26;&laugh26;"> >+<!ENTITY laugh28 "&laugh27;&laugh27;"> >+<!ENTITY laugh29 "&laugh28;&laugh28;"> >+<!ENTITY laugh30 "&laugh29;&laugh29;"> >+]> >+<billion>&laugh30;</billion> > >Property changes on: test/data/billion-laughs.xml >___________________________________________________________________ >Added: svn:eol-style > + native > >Index: test/testxml.c >=================================================================== >--- test/testxml.c (revision 781402) >+++ test/testxml.c (revision 781409) >@@ -36,8 +36,7 @@ > return rv; > > rv = apr_file_puts("<?xml version=\"1.0\" ?>\n<maryx>" >- "<had a=\"little\"/><lamb its='fleece " >- "was white as snow' />\n", *fd); >+ "<had a=\"little\"/><lamb/>\n", *fd); > ABTS_INT_EQUAL(tc, APR_SUCCESS, rv); > > for (i = 0; i < 5000; i++) { >@@ -75,7 +74,7 @@ > > for (i = 0; i < 5000; i++) { > rv = apr_file_puts("<hmm roast=\"lamb\" " >- "for=\"dinner\">yummy</hmm>\n", *fd); >+ "for=\"dinner <>=\">yummy</hmm>\n", *fd); > ABTS_INT_EQUAL(tc, APR_SUCCESS, rv); > } > >@@ -103,7 +102,7 @@ > a = e->attr; > ABTS_PTR_NOTNULL(tc, a); > ABTS_STR_EQUAL(tc, "for", a->name); >- ABTS_STR_EQUAL(tc, "dinner", a->value); >+ ABTS_STR_EQUAL(tc, "dinner <>=", a->value); > a = a->next; > ABTS_PTR_NOTNULL(tc, a); > ABTS_STR_EQUAL(tc, "roast", a->name); >@@ -149,11 +148,29 @@ > ABTS_TRUE(tc, rv != APR_SUCCESS); > } > >+static void test_billion_laughs(abts_case *tc, void *data) >+{ >+ apr_file_t *fd; >+ apr_xml_parser *parser; >+ apr_xml_doc *doc; >+ apr_status_t rv; >+ >+ rv = apr_file_open(&fd, "data/billion-laughs.xml", >+ APR_FOPEN_READ, 0, p); >+ APR_ASSERT_SUCCESS(tc, "open billion-laughs.xml", rv); >+ >+ rv = apr_xml_parse_file(p, &parser, &doc, fd, 2000); >+ ABTS_TRUE(tc, rv != APR_SUCCESS); >+ >+ apr_file_close(fd); >+} >+ > abts_suite *testxml(abts_suite *suite) > { > suite = ADD_SUITE(suite); > > abts_run_test(suite, test_xml_parser, NULL); >+ abts_run_test(suite, test_billion_laughs, NULL); > > return suite; > } >Index: xml/apr_xml.c >=================================================================== >--- xml/apr_xml.c (revision 781402) >+++ xml/apr_xml.c (revision 781409) >@@ -347,6 +347,25 @@ > return APR_SUCCESS; > } > >+#if XML_MAJOR_VERSION > 1 >+/* Stop the parser if an entity declaration is hit. */ >+static void entity_declaration(void *userData, const XML_Char *entityName, >+ int is_parameter_entity, const XML_Char *value, >+ int value_length, const XML_Char *base, >+ const XML_Char *systemId, const XML_Char *publicId, >+ const XML_Char *notationName) >+{ >+ apr_xml_parser *parser = userData; >+ >+ XML_StopParser(parser->xp, XML_FALSE); >+} >+#else >+/* A noop default_handler. */ >+static void default_handler(void *userData, const XML_Char *s, int len) >+{ >+} >+#endif >+ > APU_DECLARE(apr_xml_parser *) apr_xml_parser_create(apr_pool_t *pool) > { > apr_xml_parser *parser = apr_pcalloc(pool, sizeof(*parser)); >@@ -372,6 +391,19 @@ > XML_SetElementHandler(parser->xp, start_handler, end_handler); > XML_SetCharacterDataHandler(parser->xp, cdata_handler); > >+ /* Prevent the "billion laughs" attack against expat by disabling >+ * internal entity expansion. With 2.x, forcibly stop the parser >+ * if an entity is declared - this is safer and a more obvious >+ * failure mode. With older versions, installing a noop >+ * DefaultHandler means that internal entities will be expanded as >+ * the empty string, which is also sufficient to prevent the >+ * attack. */ >+#if XML_MAJOR_VERSION > 1 >+ XML_SetEntityDeclHandler(parser->xp, entity_declaration); >+#else >+ XML_SetDefaultHandler(parser->xp, default_handler); >+#endif >+ > return parser; > } >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 272260
: 193426