Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 600468 (CVE-2016-8734) - <dev-vcs/subversion-{1.8.17,1.9.5}: Unrestricted XML entity expansion in mod_dontdothat and HTTP clients (CVE-2016-8734)
Summary: <dev-vcs/subversion-{1.8.17,1.9.5}: Unrestricted XML entity expansion in mod_...
Status: RESOLVED FIXED
Alias: CVE-2016-8734
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-22 12:05 UTC by Aaron Bauman (RETIRED)
Modified: 2017-01-15 22:57 UTC (History)
1 user (show)

See Also:
Package list:
=dev-vcs/subversion-1.8.17 =dev-vcs/subversion-1.9.5
Runtime testing required: ---
kensington: sanity-check+


Attachments
1.8.16 patch (CVE-2016-8734-1.8.16.patch,6.25 KB, patch)
2016-11-22 12:33 UTC, Aaron Bauman (RETIRED)
no flags Details | Diff
1.9.4 patch (CVE-2016-8734-1.9.4.patch,6.25 KB, patch)
2016-11-22 12:33 UTC, Aaron Bauman (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman (RETIRED) gentoo-dev 2016-11-22 12:05:45 UTC
Details inbound...
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-11-22 12:12:14 UTC
  Unrestricted XML entity expansion in mod_dontdothat and Subversion
  clients using http(s)://

Summary:
========

  Subversion's mod_dontdothat module and clients using http(s):// are
  vulnerable to a denial-of-service attack caused by exponential
  XML entity expansion.  The attack, otherwise known as the "billion
  laughs attack", targets XML parsers and can cause the targeted process
  to consume an excessive amount of CPU resources or memory.

  There are no known instances of this problem being exploited in the
  wild.  The details for this vulnerability have been disclosed on the
  Subversion development mailing list.

Known vulnerable:
=================

  mod_dontdothat 1.4.0 through 1.8.16 (inclusive)
  mod_dontdothat 1.9.0 through 1.9.4 (inclusive)

  Subversion clients 1.4.0 through 1.8.16 (inclusive)
  Subversion clients 1.9.0 through 1.9.4 (inclusive)

  Note: Subversion clients 1.4.0 through 1.7.22 can use either Serf
  or Neon as HTTP library.  Among these versions, only clients using
  Serf are vulnerable.

Known fixed:
============

  Subversion 1.8.17
  Subversion 1.9.5

  Subversion clients not using http(s):// are not vulnerable

Details:
========

  The attack takes advantage of three properties of XML (substitution
  entities, nested entities, and inline DTDs) that allow preparing an
  XML bomb -- a small block of XML that can require a significant
  amount of CPU resources or memory to process.

  An authenticated remote attacker can cause denial-of-service conditions
  on the server using mod_dontdothat by sending a specially crafted
  REPORT request.  The attack does not require access to a particular
  repository.

  If an attacker has control over HTTP responses sent to a Subversion
  client, he can cause denial-of-service conditions on the client by
  injecting the XML bomb into the response.

Severity:
=========

  CVSSv2 Base Score: 3.5
  CVSSv2 Base Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.

  While mod_dontdothat is not typically installed, server installations
  using it are vulnerable to authenticated attackers.  The attack does
  not require read access to a particular repository.  Servers which
  allow for anonymous reads will be vulnerable without authentication.

  The client side of this vulnerability might be exploited as well, but
  requires an attacker to have control over HTTP responses delivered to
  the client.

Recommendations:
================

  We recommend all users to upgrade to Subversion 1.9.5.  Users of
  Subversion 1.8.x and 1.9.x who are unable to upgrade may apply the
  included patch.

  New Subversion packages can be found at:
  http://subversion.apache.org/packages.html

  No workaround is available.

References:
===========

  CVE-2016-8734  (Subversion)

Reported by:
============

  Florian Weimer, Red Hat, Inc.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-11-22 12:33:02 UTC
Created attachment 454034 [details, diff]
1.8.16 patch
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-11-22 12:33:24 UTC
Created attachment 454036 [details, diff]
1.9.4 patch
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-29 16:18:01 UTC
commit f41f37fe49472c2e0baa3811f04ed3fd5ffcaaff
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Nov 29 14:37:48 2016

    dev-vcs/subversion: Sec bump to versions 1.8.17 and 1.9.5 (bug #600468).

    CVE-2016-8734

    Package-Manager: portage-2.3.2
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 03:25:57 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #4)
> commit f41f37fe49472c2e0baa3811f04ed3fd5ffcaaff
> Author: Lars Wendler <polynomial-c@gentoo.org>
> Date:   Tue Nov 29 14:37:48 2016
> 
>     dev-vcs/subversion: Sec bump to versions 1.8.17 and 1.9.5 (bug #600468).
> 
>     CVE-2016-8734
> 
>     Package-Manager: portage-2.3.2

Ready for stable?
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-11-30 08:43:39 UTC
Arches please test and mark stable the following two versions:

=dev-vcs/subversion-1.8.17
=dev-vcs/subversion-1.9.5

Target KEYWORDS are:

alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
Comment 7 Agostino Sarubbo gentoo-dev 2016-12-01 12:52:23 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-12-01 12:55:04 UTC
x86 stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 15:01:03 UTC
Stable on alpha.
Comment 10 Markus Meier gentoo-dev 2016-12-17 15:30:39 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-19 14:40:42 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-19 15:17:05 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-20 09:50:02 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-12-22 09:38:28 UTC
ppc64 stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-10 07:13:06 UTC
Stable for HPPA.
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-10 14:37:19 UTC
GLSA Vote: No


@ Maintainer(s): Please cleanup an drop =dev-vcs/subversion-1.8.16 and =dev-vcs/subversion-1.9.4!
Comment 17 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-01-15 22:16:29 UTC
commit ce49f205ec6230ff2ffefebc6d865be9539170e4
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sun Jan 15 23:14:57 2017

    dev-vcs/subversion: Security cleanup (bug #600468).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-01-15 22:57:41 UTC
Tree is clean