[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
|
From: |
Maxime Devos |
|
Subject: |
bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) |
|
Date: |
Sun, 23 May 2021 20:40:29 +0200 |
|
User-agent: |
Evolution 3.34.2 |
Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
>
> What's old is new again! Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
>
> https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
> https://en.wikipedia.org/wiki/Billion_laughs_attack
>
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.
>
> In any case I've attached a patch that does just that and I'm currently
> using it on my system. I'm hesitant to push it because of the grafting
> cost and would like others opinion.
>
I would like others opinion as well.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part