Bug 272260 (CVE-2009-1955)

Comment 1 Alex Legler (RETIRED) 2009-06-03 16:50:30 UTC

The issue exists in apr-util. While parsing XML, the processing of recursive entity definitions is not limited.

Comment 2 Alex Legler (RETIRED) 2009-06-03 16:50:54 UTC

*** Bug 272444 has been marked as a duplicate of this bug. ***

Comment 3 Alex Legler (RETIRED) 2009-06-03 17:05:04 UTC

Created attachment 193426 [details, diff]
Backported patch from Apache SVN

This patch disables the parsing of entity declarations, as applied to trunk in upstream SVN.

Comment 4 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2009-06-06 01:52:43 UTC

dev-libs/apr-1.3.5 was released on 2009-06-05.
dev-libs/apr-util-1.3.7 was released on 2009-06-05.

Comment 5 Alex Legler (RETIRED) 2009-06-06 20:28:54 UTC

======================================================
Name: CVE-2009-1955
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1955

The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in
Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn
modules in the Apache HTTP Server, allows remote attackers to cause a
denial of service (memory consumption) via a crafted XML document
containing a large number of nested entity references, as demonstrated
by a PROPFIND request, a similar issue to CVE-2003-1564.

Comment 6 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2009-06-08 21:14:04 UTC

dev-libs/apr-1.3.5 and dev-libs/apr-util-1.3.7 are now in the tree.

Comment 7 Robert Buchholz (RETIRED) 2009-06-08 22:01:37 UTC

Arches, please test and mark stable:
=dev-libs/apr-1.3.5
=dev-libs/apr-util-1.3.7
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"

Comment 8 Christian Faulhammer (RETIRED) 2009-06-09 07:59:34 UTC

Current stable Subversion 1.5.6 errors out with this apr-util:

checking for availability of Berkeley DB... no
configure: error: Berkeley DB 4.0.14 wasn't found.

Portage 2.1.6.13 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.29-gentoo-r5 i686)
=================================================================
System uname: Linux-2.6.29-gentoo-r5-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-glibc2.0
Timestamp of tree: Tue, 09 Jun 2009 06:00:02 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.4.6, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_EN.UTF8"
LDFLAGS="-Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X acl acpi alsa apache apache2 apm bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli cracklib crypt css cups curl dbus directfb dri dvd dvdr dvdread dvi eds emacs emboss encode escreen esd evo fam fat fbcon fbcondecor ffmpeg firefox foomatic fortran gdbm gif gnome gpm gstreamer gtk hal iconv imlib ipv6 isdnlog jadetex jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad midi mikmod mmx mp3 mpeg mudflap musicbrainz ncurses nls nptl nptl-only nptlonly ntfs ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3 qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora tiff toolkit-scroll-bars truetype unicode usb userlocales vorbis win32codecs wmf x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 9 Christian Faulhammer (RETIRED) 2009-06-09 08:23:12 UTC

(In reply to comment #8)
> Current stable Subversion 1.5.6 errors out with this apr-util:
> 
> checking for availability of Berkeley DB... no
> configure: error: Berkeley DB 4.0.14 wasn't found.

 And no, remerging apr-util does not solve the problem.  A downgrade works perfect though, I have the following slots of sys-libs/db installed:
 4.2.52_p5-r1(4.2)
 4.3.29_p1-r1(4.3)
 4.5.20_p2-r1(4.5)
 4.6.21_p4(4.6)

config.log says:

configure:21492: i686-pc-linux-gnu-gcc -o conftest -O2 -march=i686 -pipe -fno-strict-aliasing   -pthread  -D_LARGEFILE64_SOURCE -DNE_LFS  -I/usr/include/apr-1 -I/usr/include/db4
.6   -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE  -I/usr/include/apr-1   -I/usr/include/apr-1 -I/usr/include/db4.6 -Wl,--as-needed    -L/usr/lib conftest.c  -L/us
r/lib  -lldap -llber -llber -lexpat  >&5
/var/tmp/portage/dev-util/subversion-1.5.6/temp/ccaQxDVP.o: In function `main':
conftest.c:(.text+0x26): undefined reference to `db_version'
collect2: ld returned 1 exit status
configure:21496: $? = 1
configure: program exited with status 1
configure: failed program was:
| /* confdefs.h.  */
| #define PACKAGE_NAME "subversion"
| #define PACKAGE_TARNAME "subversion"
| #define PACKAGE_VERSION "1.5.6"
| #define PACKAGE_STRING "subversion 1.5.6"
| #define PACKAGE_BUGREPORT "http://subversion.tigris.org/"
| #define SVN_NEON_0_26 1
| #define SVN_NEON_0_27 1
| #define SVN_NEON_0_28 1
| #define SVN_HAVE_NEON 1
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define SVN_BINDIR "/usr/bin"
| #define SVN_LOCALE_DIR "/usr/share/locale"
| #define HAVE_DLFCN_H 1
| /* end confdefs.h.  */
| 
| #include <stdlib.h>
| #define APU_WANT_DB
| #include <apu_want.h>
| 
| int main ()
| {
|   int major, minor, patch;
| 
|   db_version (&major, &minor, &patch);
| 
|   /* Sanity check: ensure that db.h constants actually match the db library */
|   if (major != DB_VERSION_MAJOR
|       || minor != DB_VERSION_MINOR
|       || patch != DB_VERSION_PATCH)
|     exit (1);
| 
|   /* Run-time check:  ensure the library claims to be the correct version. */
| 
|   if (major < 4)
|     exit (1);
|   if (major > 4)
|     exit (0);
| 
|   if (minor < 0)
|     exit (1);
|   if (minor > 0)
|     exit (0);
| 
|   if (patch >= 14)
|     exit (0);
|   else
|     exit (1);
| }
| 
configure:21533: result: no
configure:21537: error: Berkeley DB 4.0.14 wasn't found.

Comment 10 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2009-06-09 10:06:47 UTC

(In reply to comment #8)
> Current stable Subversion 1.5.6 errors out with this apr-util:
> 
> checking for availability of Berkeley DB... no
> configure: error: Berkeley DB 4.0.14 wasn't found.

Subversion 1.6.* contains improved manual detection of Berkeley DB.
Subversion 1.6.2 will be stabilized in bug #273304.

Comment 11 Robert Buchholz (RETIRED) 2009-06-09 10:16:16 UTC

Is the subversion incompatibility just a compile-time issue? Or will upgrading apr-util in a subversion 1.5.6 setup break subversion?

Comment 12 Christian Faulhammer (RETIRED) 2009-06-09 11:00:50 UTC

(In reply to comment #11)
> Is the subversion incompatibility just a compile-time issue? Or will upgrading
> apr-util in a subversion 1.5.6 setup break subversion?

 This reads to me like a compile-thing only.

Comment 13 Ferris McCormick (RETIRED) 2009-06-09 14:07:40 UTC

Sparc briefly on hold because of Bug #273304 --- sparc keywords were dropped from subversion -1.6.2 versions, probably because of sqlite problems.  We now have a usable version of sqlite-3.6.14.2, and I am verifying the latest subversions against it.  For us to finish this bug, we'll have to mark sqlite-3.6.14.2 stable and then fast-stable subversion.

Comment 14 Jeroen Roovers (RETIRED) 2009-06-09 18:53:02 UTC

Stable for HPPA.

Comment 15 Arfrever Frehtes Taifersar Arahesis (RETIRED) 2009-06-10 17:19:22 UTC

(In reply to comment #11)
> Is the subversion incompatibility just a compile-time issue?

Yes.

(In reply to comment #13)
> Sparc briefly on hold because of Bug #273304 --- sparc keywords were dropped
> from subversion -1.6.2 versions, probably because of sqlite problems.

It was due to bug #263337.

Comment 16 Christian Faulhammer (RETIRED) 2009-06-10 18:15:06 UTC

x86 stable

Comment 17 Markus Meier 2009-06-11 05:44:58 UTC

amd64 stable

Comment 18 Tobias Klausmann (RETIRED) 2009-06-11 14:26:39 UTC

Stable on alpha.

Comment 19 Raúl Porcel (RETIRED) 2009-06-16 18:52:53 UTC

arm/ia64/s390/sh/sparc stable

Comment 20 Brent Baude (RETIRED) 2009-06-16 19:29:51 UTC

ppc64 done

Comment 21 Brent Baude (RETIRED) 2009-06-21 14:14:34 UTC

ppc done

Comment 22 Alex Legler (RETIRED) 2009-06-26 08:48:44 UTC

GLSA request filed.

Comment 23 Alex Legler (RETIRED) 2009-07-04 07:49:35 UTC

GLSA 200907-03