bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

From:	Marius Bakke
Subject:	bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date:	Sun, 23 May 2021 17:15:11 +0200

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.

0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch
Description: Text Data

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Marius Bakke <=
- bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Maxime Devos, 2021/05/23
- bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Leo Famulari, 2021/05/24

Prev by Date: bug#46450: [core-updates] r-suppdists source checksum changed
Next by Date: bug#26604: documentation: pdf generation is broken
Previous by thread: bug#46450: [core-updates] r-suppdists source checksum changed
Next by thread: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Index(es):
- Date
- Thread