Dear Futatsuki san, Thank you very much for your information. These are very helpful, we will check it out accordingly.
Regards. Kathy -----Original Message----- From: Yasuhito FUTATSUKI <futat...@yf.bsdclub.org> Sent: Friday, 3 December 2021 1:05 PM To: Kathy Chu Ka Wai <kathy....@yokogawa.com>; users@subversion.apache.org Cc: Ang Kiam Heong <kiamheong....@yokogawa.com>; Lin Naing Oo <naingoo....@yokogawa.com>; Archie Orido <archie.or...@yokogawa.com>; Janet Tria <janet.t...@yokogawa.com> Subject: Re: Regarding CVE-2016-0718 reported in Expat CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hello, On 2021/12/03 12:09, kathy....@yokogawa.com wrote: > Hi, > > Our company is currently using Subversion in our development. > > In our recent security analysis scan with Black Duck, it detected > CVE-2016-0718<https://jpn01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2016-0718&data=04%7C01%7Ckathy.chu%40yokogawa.com%7C387d24546e3e40b77b1608d9b61ac1e2%7C0da2a83b13d94a35965fec53a220ed9d%7C0%7C0%7C637741048456200938%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=O1LFc4I5XLt53DTD8OLHYLJaBvJfrnqmhnpF21CZrK4%3D&reserved=0> > in Expat, which is reference by Subversion. > > This vulnerability has been resolved from Expat 2.2.0 onwards, where Expat > 1.6.x is used in the latest version of Subversion 1.14. The project ships source code only, does not ship binary packages, and Subversion 1.14.1 can be built with newer Expat than 2.2.0. e.g. In my FreeBSD 13 environment: [[[ $ svn --version | head -2 svn, version 1.14.1 (r1886195) compiled Jun 27 2021, 16:04:42 on amd64-portbld-freebsd13.0 $ ldd `which svn` | fgrep libexpat libexpat.so.1 => /usr/local/lib/libexpat.so.1 (0x8006ef000) $ pkg which /usr/local/lib/libexpat.so.1 /usr/local/lib/libexpat.so.1 was installed by package expat-2.4.1 ]]] > We hope you can provide some information of the following few queries: > > 1. Is there any plan for Subversion to upgrade with Expat 2.2.0 or above? I think we could reject older Expat, but I don't think we will do. On the other hand, I believe if we need newer Expat library for security reason which API is changed and it need some modification in our code, we will update our code. (At least I'll do it, if possible.) > 2. We are currently self-build and use Subversion 1.10.6. > * May I know if there is any impact if we internally upgrade Expat to > 2.2.0 or above? > * What should we pay attention to if we would use the newer version of > Expat? At least you can run Subversion's test suites after building with newer Expat, before deploying. > 3. May I know if the issue detected in CVE-2016-0718 has direct impact to > Subversion? > * Accordingly to NVD, it is related to "processing maliciously crafted > XML may lead to unexpected application termination or arbitrary code > execution". May allows context-dependent attackers to cause a denial of > service (crash) or possibly execute arbitrary code via a malformed input > document, which triggers a buffer overflow > Perhaps a crafted Subversion server can attack vulnerable clients and a crafted client can attack vulnerable serves, but I didn't analyze the code, because we can use Expat which is not affected by CVE-2016-0718. Cheers, -- Yasuhito FUTATSUKI <futat...@yf.bsclub.org> ----- CONFIDENTIAL: This e-mail may contain information that is confidential or otherwise protected from disclosure and intended only for the party to whom it is addressed. If you are not the intended recipient, please notify the sender by return and delete this e-mail. You are hereby formally advised that any unauthorized use, disclosure or copying of this email is strictly prohibited and may be unlawful.
