Here's a really old Fedora bug report which, as far as I know, has not been forwarded upstream so far:
https://bugzilla.redhat.com/show_bug.cgi?id=888755 Quoting from the bug report: > In subversion 1.7.7 in > tools/server-side/mod_dontdothat/mod_dontdothat.c, there is the > following code: > > ctx->xmlp = XML_ParserCreate(NULL); > apr_pool_cleanup_register(r->pool, ctx->xmlp, > clean_up_parser, > apr_pool_cleanup_null); > XML_SetUserData(ctx->xmlp, ctx); > XML_SetElementHandler(ctx->xmlp, start_element, end_element); > XML_SetCharacterDataHandler(ctx->xmlp, cdata); > > This doesn't disable entity expansion for the internal DTD subset, > so there is a denial-of-service vector ("billion laughs attack"). > I'm marking this as a security bug because it probably allows to > crash Apache or trigger the kernel OOM handler. This should > probably be fixed in coordination with Subversion upstream. > Adding the following handler using > > XML_SetEntityDeclHandler(ctx->xmlp, EntityDeclHandler); > > should be sufficient to address this issue. > > // Stop the parser when an entity declaration is encountered. > static void > EntityDeclHandler(void *userData, > const XML_Char *entityName, int is_parameter_entity, > const XML_Char *value, int value_length, > const XML_Char *base, const XML_Char *systemId, > const XML_Char *publicId, const XML_Char *notationName) > { > XML_StopParser((XML_Parser)userData, XML_FALSE); > } I still don't see a reference to XML_SetEntityDeclHandler in the sources, so I believe the issue still exists. This issue was found by looking for binaries which reference XML_ParserCreate, but not XML_SetEntityDeclHandler. I have not constructed an actual reproducer.
