unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
@ 2021-05-23 15:15 Marius Bakke
  2021-05-23 18:40 ` Maxime Devos
  2021-05-24 17:06 ` Leo Famulari
  0 siblings, 2 replies; 4+ messages in thread
From: Marius Bakke @ 2021-05-23 15:15 UTC (permalink / raw)
  To: 48612


[-- Attachment #1.1: Type: text/plain, Size: 620 bytes --]

Greetings Guix,

What's old is new again!  Expat 2.4.0 was recently released with a
fix for a denial of service issue dubbed "billion laughs attack":

  https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
  https://en.wikipedia.org/wiki/Billion_laughs_attack

Seeing as this vulnerability appears to be eight years old and is
"merely" a DoS: is it worth fixing on the 'master' branch (and
re-grafting pretty much everything)?

In any case I've attached a patch that does just that and I'm currently
using it on my system.  I'm hesitant to push it because of the grafting
cost and would like others opinion.


[-- Attachment #1.2: 0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch --]
[-- Type: text/x-patch, Size: 2489 bytes --]

From 2589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001
From: Marius Bakke <marius@gnu.org>
Date: Sun, 23 May 2021 14:22:16 +0200
Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340].

* gnu/packages/xml.scm (expat-2.4.0): New variable.
(expat)[replacement]: New field.
---
 gnu/packages/xml.scm | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index ad2e3ec6c9..cbd33326e8 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
 ;;; Copyright © 2016, 2017 Nikita <nikita@n0.is>
 ;;; Copyright © 2016–2021 Tobias Geerinckx-Rice <me@tobias.gr>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke <marius@gnu.org>
 ;;; Copyright © 2017 Adriano Peluso <catonano@gmail.com>
 ;;; Copyright © 2017 Gregor Giesen <giesen@zaehlwerk.net>
 ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
@@ -121,6 +121,7 @@ the entire document.")
   (package
     (name "expat")
     (version "2.2.9")
+    (replacement expat-2.4.0)
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -144,6 +145,24 @@ stream-oriented parser in which an application registers handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
+;; Replacement package to fix CVE-2013-0340.
+(define expat-2.4.0
+  (package
+    (inherit expat)
+    (version "2.4.0")
+    (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
+              (origin
+                (method url-fetch)
+                (uri (list (string-append "mirror://sourceforge/expat/expat/"
+                                          version "/expat-" version ".tar.xz")
+                           (string-append
+                            "https://github.com/libexpat/libexpat/releases/download/R_"
+                            (string-map dot->underscore version)
+                            "/expat-" version ".tar.xz")))
+                (sha256
+                 (base32
+                  "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3")))))))
+
 (define-public libebml
   (package
     (name "libebml")
-- 
2.31.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
  2021-05-23 15:15 bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Marius Bakke
@ 2021-05-23 18:40 ` Maxime Devos
  2021-05-24 17:06 ` Leo Famulari
  1 sibling, 0 replies; 4+ messages in thread
From: Maxime Devos @ 2021-05-23 18:40 UTC (permalink / raw)
  To: Marius Bakke, 48612

[-- Attachment #1: Type: text/plain, Size: 1192 bytes --]

Marius Bakke schreef op zo 23-05-2021 om 17:15 [+0200]:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?

Since this is ‘merely’ a DoS that does not lead to an exploit, I
would simply upgrade the package on 'core-updates'. However, I don't
run any servers. At worst, an attacker could bring down a computer or
burn CPU cyles but nothing else. Bad, but not an exploit and not worth
a graft in my opinion. If this attack is found to cause an annoyance in
the wild, we can easily add a graft later.

> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.
> 

I would like others opinion as well.

Greetings,
Maxime.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
  2021-05-23 15:15 bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Marius Bakke
  2021-05-23 18:40 ` Maxime Devos
@ 2021-05-24 17:06 ` Leo Famulari
  2021-06-03  3:16   ` Leo Famulari
  1 sibling, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2021-05-24 17:06 UTC (permalink / raw)
  To: Marius Bakke; +Cc: 48612

[-- Attachment #1: Type: text/plain, Size: 966 bytes --]

On Sun, May 23, 2021 at 05:15:11PM +0200, Marius Bakke wrote:
> Greetings Guix,
> 
> What's old is new again!  Expat 2.4.0 was recently released with a
> fix for a denial of service issue dubbed "billion laughs attack":
> 
>   https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes
>   https://en.wikipedia.org/wiki/Billion_laughs_attack
> 
> Seeing as this vulnerability appears to be eight years old and is
> "merely" a DoS: is it worth fixing on the 'master' branch (and
> re-grafting pretty much everything)?
> 
> In any case I've attached a patch that does just that and I'm currently
> using it on my system.  I'm hesitant to push it because of the grafting
> cost and would like others opinion.

I think it's okay to graft it. The distro is big enough that there will
always be some grafted packages. However, I'd like to try ungrafting at
regular periods; based on the current ungrafting build cycle, monthly
may be reasonable.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340)
  2021-05-24 17:06 ` Leo Famulari
@ 2021-06-03  3:16   ` Leo Famulari
  0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2021-06-03  3:16 UTC (permalink / raw)
  To: Marius Bakke; +Cc: 48612-done

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

On Mon, May 24, 2021 at 01:06:47PM -0400, Leo Famulari wrote:
> I think it's okay to graft it. The distro is big enough that there will
> always be some grafted packages. However, I'd like to try ungrafting at
> regular periods; based on the current ungrafting build cycle, monthly
> may be reasonable.

I updated your patch to use expat 2.4.1 and pushed as
6d71f6a73cd27d61d3302b9658893428af6314d2

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-06-03  3:17 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-23 15:15 bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Marius Bakke
2021-05-23 18:40 ` Maxime Devos
2021-05-24 17:06 ` Leo Famulari
2021-06-03  3:16   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).