Hello,
On 2021/12/03 12:09, kathy....@yokogawa.com wrote:
> Hi,
>
> Our company is currently using Subversion in our development.
>
> In our recent security analysis scan with Black Duck, it detected
> CVE-2016-0718<https://nvd.nist.gov/vuln/detail/CVE-2016-0718> in Expat, which
> is reference by Subversion.
>
> This vulnerability has been resolved from Expat 2.2.0 onwards, where Expat
> 1.6.x is used in the latest version of Subversion 1.14.
The project ships source code only, does not ship binary packages,
and Subversion 1.14.1 can be built with newer Expat than 2.2.0.
e.g. In my FreeBSD 13 environment:
[[[
$ svn --version | head -2
svn, version 1.14.1 (r1886195)
compiled Jun 27 2021, 16:04:42 on amd64-portbld-freebsd13.0
$ ldd `which svn` | fgrep libexpat
libexpat.so.1 => /usr/local/lib/libexpat.so.1 (0x8006ef000)
$ pkg which /usr/local/lib/libexpat.so.1
/usr/local/lib/libexpat.so.1 was installed by package expat-2.4.1
]]]
> We hope you can provide some information of the following few queries:
>
> 1. Is there any plan for Subversion to upgrade with Expat 2.2.0 or above?
I think we could reject older Expat, but I don't think we will do.
On the other hand, I believe if we need newer Expat library for
security reason which API is changed and it need some modification
in our code, we will update our code.
(At least I'll do it, if possible.)
> 2. We are currently self-build and use Subversion 1.10.6.
> * May I know if there is any impact if we internally upgrade Expat to
> 2.2.0 or above?
> * What should we pay attention to if we would use the newer version of
> Expat?
At least you can run Subversion's test suites after building
with newer Expat, before deploying.
> 3. May I know if the issue detected in CVE-2016-0718 has direct impact to
> Subversion?
> * Accordingly to NVD, it is related to "processing maliciously crafted
> XML may lead to unexpected application termination or arbitrary code
> execution". May allows context-dependent attackers to cause a denial of
> service (crash) or possibly execute arbitrary code via a malformed input
> document, which triggers a buffer overflow
>
Perhaps a crafted Subversion server can attack vulnerable clients
and a crafted client can attack vulnerable serves, but I didn't
analyze the code, because we can use Expat which is not affected
by CVE-2016-0718.
Cheers,
--
Yasuhito FUTATSUKI <futat...@yf.bsclub.org>
