From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iO7KNsqhqmALBgEAgWs5BA (envelope-from ) for ; Sun, 23 May 2021 20:41:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aBWRMsqhqmAIWAAA1q6Kng (envelope-from ) for ; Sun, 23 May 2021 18:41:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4090010DEA for ; Sun, 23 May 2021 20:41:14 +0200 (CEST) Received: from localhost ([::1]:37922 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lkt2H-0006xn-9w for larch@yhetil.org; Sun, 23 May 2021 14:41:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60764) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkt26-0006xb-7S for bug-guix@gnu.org; Sun, 23 May 2021 14:41:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58437) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lkt25-0001SP-VK for bug-guix@gnu.org; Sun, 23 May 2021 14:41:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lkt25-0001x7-Qg for bug-guix@gnu.org; Sun, 23 May 2021 14:41:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 23 May 2021 18:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48612 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Marius Bakke , 48612@debbugs.gnu.org Received: via spool by 48612-submit@debbugs.gnu.org id=B48612.16217952517480 (code B ref 48612); Sun, 23 May 2021 18:41:01 +0000 Received: (at 48612) by debbugs.gnu.org; 23 May 2021 18:40:51 +0000 Received: from localhost ([127.0.0.1]:41750 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lkt1v-0001wZ-1T for submit@debbugs.gnu.org; Sun, 23 May 2021 14:40:51 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:54408) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lkt1q-0001wN-Pt for 48612@debbugs.gnu.org; Sun, 23 May 2021 14:40:50 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id 8Jgk2500H0mfAB401JglJ1; Sun, 23 May 2021 20:40:45 +0200 Message-ID: <29e294edf8ccdb887acd74e5a65c77c2e974aa75.camel@telenet.be> From: Maxime Devos Date: Sun, 23 May 2021 20:40:29 +0200 In-Reply-To: <87bl91qy68.fsf@gnu.org> References: <87bl91qy68.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-5+5qxg4NogSf9gei5lqQ" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1621795245; bh=+jRThxMmU3cVuKewz1J8Q606pcg7nicxXkFheAd8tD8=; h=Subject:From:To:Date:In-Reply-To:References; b=dY9jRLhd4lQASVgbF5fN6BV+8tAhBJvD4j8ZN5HDabmAd8uMpDCzWE8MKL/F92VVL RYn5aMmnnao2TnJYHCnwZ36PR9PkZ7wXrCH1SHKhaCefq10RXh8OdiIYVMwwxqODNF 9Z4j8ZdNivn4dMs4JTLBitekj7ygWN2Tw+UTBM/t5XwW3gKuOxDmiAiddA6AmfEa0S JdGNmZE/VQbfe0jrK8//Wb5HPHTyi61ZWbJQNcDBZMg3eBDgsJRgTHDRzBw9O2/ERM yMBMeoQRn9/QQ5XzV+eP4u7U0aVVx+iRiMPpjM5Fmm9ZOnel3zscVhpiIhmvFqHy0R O2KZYUuPV5iOA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621795274; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=+jRThxMmU3cVuKewz1J8Q606pcg7nicxXkFheAd8tD8=; b=Wo+ACjuJdslysrld5kZ3yxRb/JssTI99v/o2JlbP0DPaimo4YXnoOnKqD5gwk78rZTroZ8 eP9F1xDduH/Vdb+VsKR3Y5fk4Ihqku3IynJa4teZ/Wx59BFsFLnqWPQFKaY3vZTVOY4zn4 G0LahXetxkUt81dfjllPGoSGJn2XzRTk+OxfCXfNVMuJaaX9SHwtQp897qQv0jmSoo1KRN O+MIqn0E6a0jEb2GgV7ZTJ+jWGYOcjNBQ5X7Sd0dWg2peRpJkgiKvqJ15eFe/h8RQW0AX+ D/FdeSS/OC7xDixyOpNgHUeYkBsvwDln/FAF0vMIEGZz+xQn++K4r+oWa3rXjg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621795274; a=rsa-sha256; cv=none; b=dnZMSOXX3bkTy6fJP//o0t5nmYbQgFci9B8o3SvM4W/pgdo46RNyPkVZs+oBLjT64xG33l J1fTQosZfkmrAEFjuj6eeQO0JA6gOI5tuxMpzE+E5HEWJAfgIgEov+1Xpmmjd3kS4wNb41 HdSwiVNA55olgex2j4hNE07RttB1spnH1+ej65insURxGF2hK3BrZlhnfM2C3nXnYoxbR5 PqX6Ar3lXuEfVKUGJF0cP9l6isxvW6RbxRCS3s4agTWx7u0OQfnQ+rftxV2Qu51Cw/EX46 iCnNFcKsF1Cj2zyb+o5E6mtu4tWu211g1wLSkZT5DRt6L2VeBT0DCD4hd7p41g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=dY9jRLhd; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.44 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=dY9jRLhd; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4090010DEA X-Spam-Score: -3.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: ZnQ4fxLj2ozr --=-5+5qxg4NogSf9gei5lqQ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]: > Greetings Guix, >=20 > What's old is new again! Expat 2.4.0 was recently released with a > fix for a denial of service issue dubbed "billion laughs attack": >=20 > https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes > https://en.wikipedia.org/wiki/Billion_laughs_attack >=20 > Seeing as this vulnerability appears to be eight years old and is > "merely" a DoS: is it worth fixing on the 'master' branch (and > re-grafting pretty much everything)? Since this is =E2=80=98merely=E2=80=99 a DoS that does not lead to an explo= it, I would simply upgrade the package on 'core-updates'. However, I don't run any servers. At worst, an attacker could bring down a computer or burn CPU cyles but nothing else. Bad, but not an exploit and not worth a graft in my opinion. If this attack is found to cause an annoyance in the wild, we can easily add a graft later. >=20 > In any case I've attached a patch that does just that and I'm currently > using it on my system. I'm hesitant to push it because of the grafting > cost and would like others opinion. >=20 I would like others opinion as well. Greetings, Maxime. --=-5+5qxg4NogSf9gei5lqQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYKqhnhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7myqAP9iks2IyXSISiDpBAjglrzQ9oKr 1WSnkoTvmrVMsEjL0AD/YFSW7UmmLUTqmZPzXjl+PWOioGN+E5NglOn0OsTvLgE= =iESM -----END PGP SIGNATURE----- --=-5+5qxg4NogSf9gei5lqQ--