[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Sat, 6 Jun 2009 20:00:20 +0400
From: Eygene Ryabinkin <rea-sec@...elabs.ru>
To: oss-security@...ts.openwall.com,
"Steven M. Christey" <coley@...us.mitre.org>
Cc: coley@...re.org, security@...che.org
Subject: Re: CVE request: "billion laughs" attack against
Apache APR
Good day.
Wed, Jun 03, 2009 at 04:07:43PM +0100, Joe Orton wrote:
> The expat XML parser is vulnerable to the "billion laughs" entity
> expansion attack. This results in a denial of service vulnerability in
> any network-facing service which uses the Apache "APR-util" library's
> wrapper interface for expat to parse untrusted XML documents. The
> Apache httpd WebDAV module "mod_dav" is such a service.
>
> References:
> http://milw0rm.com/exploits/8842
> http://marc.info/?l=apr-dev&m=124396021826125&w=2
> http://svn.apache.org/viewvc?rev=781403&view=rev
>
> Affected versions:
> APR-util <= 1.3.4
Fri, Jun 05, 2009 at 08:21:16PM -0400, Josh Bressers wrote:
> So there's another apr-util flaw. The initial mail makes it sound pretty
> scary, but it's really not that bad.
>
> You can find all the scary details here:
> https://bugzilla.redhat.com/show_bug.cgi?id=504390
Please, note that these two issues and CVE-2009-0023 seem to be
applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions),
since they have bundled apr-util inside. At least both have the
vulnerable code and I had verified the "billion laughs" attack against
Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache
libaprutil. OS for testing was FreeBSD, but I think that others are
affected as well.
CC'ing Apache security contacts in case they aren't informed about this
issue yet. Folks, may be I am wrong in my assertions?
--
Eygene
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux