Here's a really old Fedora bug report which, as far as I know, has not
been forwarded upstream so far:
https://bugzilla.redhat.com/show_bug.cgi?id=888755
Quoting from the bug report:
> In subversion 1.7.7 in
> tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the
> following code:
>
> ctx->xmlp = XML_ParserCreate(NULL);
> apr_pool_cleanup_register(r->pool, ctx->xmlp,
> clean_up_parser,
> apr_pool_cleanup_null);
> XML_SetUserData(ctx->xmlp, ctx);
> XML_SetElementHandler(ctx->xmlp, start_element, end_element);
> XML_SetCharacterDataHandler(ctx->xmlp, cdata);
>
> This doesn't disable entity expansion for the internal DTD subset,
> so there is a denial-of-service vector ("billion laughs attack").
> I'm marking this as a security bug because it probably allows to
> crash Apache or trigger the kernel OOM handler. This should
> probably be fixed in coordination with Subversion upstream.
> Adding the following handler using
>
> XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler);
>
> should be sufficient to address this issue.
>
> // Stop the parser when an entity declaration is encountered.
> static void
> EntityDeclHandler(void *userData,
> const XML_Char *entityName, int is_parameter_entity,
> const XML_Char *value, int value_length,
> const XML_Char *base, const XML_Char *systemId,
> const XML_Char *publicId, const XML_Char *notationName)
> {
> XML_StopParser((XML_Parser)userData, XML_FALSE);
> }
I still don't see a reference to XML_SetEntityDeclHandler in the
sources, so I believe the issue still exists.
This issue was found by looking for binaries which reference
XML_ParserCreate, but not XML_SetEntityDeclHandler. I have not
constructed an actual reproducer.
Received on 2016-04-24 14:18:52 CEST