bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)

From:	Leo Famulari
Subject:	bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date:	Mon, 24 May 2021 13:06:47 -0400

On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Marius Bakke, 2021/05/23
- bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Maxime Devos, 2021/05/23
- bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340), Leo Famulari <=

Prev by Date: bug#48604:
Next by Date: bug#48616: GParted root
Previous by thread: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Next by thread: bug#48604: Linux-libre 5.12.5 freezes
Index(es):
- Date
- Thread