Re: CVE request: "billion laughs" attack against Apache APR

[Eygene Ryabinkin <rea-sec () codelabs ru>]

Good day.

Wed, Jun 03, 2009 at 04:07:43PM +0100, Joe Orton wrote:
> The expat XML parser is vulnerable to the "billion laughs" entity 
> expansion attack.  This results in a denial of service vulnerability in 
> any network-facing service which uses the Apache "APR-util" library's 
> wrapper interface for expat to parse untrusted XML documents.  The 
> Apache httpd WebDAV module "mod_dav" is such a service.
>
> References: 
> http://milw0rm.com/exploits/8842 
> http://marc.info/?l=apr-dev&m=124396021826125&w=2
> http://svn.apache.org/viewvc?rev=781403&view=rev
>
> Affected versions: 
> APR-util <= 1.3.4

Fri, Jun 05, 2009 at 08:21:16PM -0400, Josh Bressers wrote:
> So there's another apr-util flaw. The initial mail makes it sound pretty
> scary, but it's really not that bad.
>
> You can find all the scary details here:
> https://bugzilla.redhat.com/show_bug.cgi?id=504390

Please, note that these two issues and CVE-2009-0023 seem to be
applicable to Apache 2.2.11 and Apache 2.0.63 (latest 2.x versions),
since they have bundled apr-util inside.  At least both have the
vulnerable code and I had verified the "billion laughs" attack against
Apache 2.2.11 with Subversion mod_dav_svn that uses internal Apache
libaprutil.  OS for testing was FreeBSD, but I think that others are
affected as well.

CC'ing Apache security contacts in case they aren't informed about this
issue yet.  Folks, may be I am wrong in my assertions?
-- 
Eygene