From: Marius Bakke <marius@gnu.org>
To: 48612@debbugs.gnu.org
Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
Date: Sun, 23 May 2021 17:15:11 +0200 [thread overview]
Message-ID: <87bl91qy68.fsf@gnu.org> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 620 bytes --]
Greetings Guix,
What's old is new again! Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":
https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
https://en.wikipedia.org/wiki/Billion_laughs_attack
Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?
In any case I've attached a patch that does just that and I'm currently
using it on my system. I'm hesitant to push it because of the grafting
cost and would like others opinion.
[-- Attachment #1.2: 0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch --]
[-- Type: text/x-patch, Size: 2489 bytes --]
From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].
* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
---
gnu/packages/xml.scm | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2016, 2017 Nikita <nikita@n0.is>
;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
(package
(name "expat")
(version "2.2.9")
+ (replacement expat-2.4.0)
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for
things the parser might find in the XML document (like start tags).")
(license license:expat)))
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+ (package
+ (inherit expat)
+ (version "2.4.0")
+ (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+ (origin
+ (method url-fetch)
+ (uri (list (string-append "mirror://sourceforge/expat/expat/"
+ version "/expat-" version ".tar.xz")
+ (string-append
+ "https://github.com/libexpat/libexpat/releases/download/R_"
+ (string-map dot->underscore version)
+ "/expat-" version ".tar.xz")))
+ (sha256
+ (base32
+ "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3")))))))
+
(define-public libebml
(package
(name "libebml")
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
next reply other threads:[~2021-05-23 15:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-23 15:15 Marius Bakke [this message]
2021-05-23 18:40 ` bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Maxime Devos
2021-05-24 17:06 ` Leo Famulari
2021-06-03 3:16 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bl91qy68.fsf@gnu.org \
--to=marius@gnu.org \
--cc=48612@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).