From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id SFdPObpxqmCJsAAAgWs5BA (envelope-from ) for ; Sun, 23 May 2021 17:16:10 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id QL7gNLpxqmApWAAAB5/wlQ (envelope-from ) for ; Sun, 23 May 2021 15:16:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1341136D2D for ; Sun, 23 May 2021 17:16:10 +0200 (CEST) Received: from localhost ([::1]:51058 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lkppo-0001pN-CK for larch@yhetil.org; Sun, 23 May 2021 11:16:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33294) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkppi-0001pB-9P for bug-guix@gnu.org; Sun, 23 May 2021 11:16:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58324) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lkppi-0007m5-1j for bug-guix@gnu.org; Sun, 23 May 2021 11:16:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lkpph-0003PP-SN for bug-guix@gnu.org; Sun, 23 May 2021 11:16:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48612: Expat "billion laughs attack" vulnerability (CVE-2013-0340) Resent-From: Marius Bakke Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 23 May 2021 15:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48612 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 48612@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162178292613055 (code B ref -1); Sun, 23 May 2021 15:16:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 May 2021 15:15:26 +0000 Received: from localhost ([127.0.0.1]:41637 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lkpp2-0003OQ-Bp for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:38368) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lkpp0-0003OG-QP for submit@debbugs.gnu.org; Sun, 23 May 2021 11:15:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33224) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkpoz-0001Vw-Gi for bug-guix@gnu.org; Sun, 23 May 2021 11:15:18 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:34136) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lkpoy-0007V4-8r for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400 Received: from host-37-191-231-185.lynet.no ([37.191.231.185]:43994 helo=localhost) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lkpow-0005gx-Lu for bug-guix@gnu.org; Sun, 23 May 2021 11:15:16 -0400 From: Marius Bakke Date: Sun, 23 May 2021 17:15:11 +0200 Message-ID: <87bl91qy68.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621782970; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post; bh=1Sei/wifeJAlTiUgQIhpd5yHXhnOHRRV7C/b843J+ss=; b=ba+d+YHY98y8mdjee/ywgfJCT2EaG6KDfzn72QbFEpvtOhQubfIGE/flrianU/6HpZhl8r hFRKKCwk4z5fGniQRrJ68rLCmhTK5dGdg81jX/+REwjeuYrIhTsXSLuwb8Jxnjpq64x383 qhE1TgzE5jgCZ5UDBhyX2YbNTpiFdEEhjFOg4CWG6IJ93Qc0iLlSKOrypqoGm/U2rkQn+s h6S6cyf47Bawjrsr2lsB9X5cOuvMdupE1RtUXgOnr0PS3+s16V9/cHoa1eevMmzgNyqS+L dF+vYBEnb05N4uARKB6CPG1Cj2j5C8Sy6iKI7SSdJa74wemsP2F0fMvgI400uQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621782970; a=rsa-sha256; cv=none; b=GqT9DzAKaRmLJ01Fvx+GeBfiefzGUaKN4b0/Gm2BjZJGgkbc9uT3iQ5gEBJIUzygStre/e 9E7I8AA/edJpuwPgZhKHoJ7IYZewnDPuikQZCvPhCyIsUWMH52ukhRu9xvgFxIW66iNmwl mJ/SDGoVIH4ge7SsdzX/2+Ju3asWnztiUNtCX/4TnoomL4EROJ0ei174Km6bEQQl9XE9s2 3wR3Jgu5opEt+AQaYEk9EumhWd3WuxE0ShL1VC+w4BakMdwk62QFlc2Lv5qSRz865QBPpX 9cffLttd9tgRQVfJlktb/MRIS7jrWVFXBZDBe8iCA7SnqpceXSoSPWbTcFB99w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -5.04 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 1341136D2D X-Spam-Score: -5.04 X-Migadu-Scanner: scn0.migadu.com X-TUID: rfqzCoHm87uu --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Greetings Guix, What's old is new again! Expat 2.4.0 was recently released with a fix for a denial of service issue dubbed "billion laughs attack": https://github.com/libexpat/libexpat/blob/R_2_4_0/expat/Changes https://en.wikipedia.org/wiki/Billion_laughs_attack Seeing as this vulnerability appears to be eight years old and is "merely" a DoS: is it worth fixing on the 'master' branch (and re-grafting pretty much everything)? In any case I've attached a patch that does just that and I'm currently using it on my system. I'm hesitant to push it because of the grafting cost and would like others opinion. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-gnu-expat-Replace-with-2.4.0-fixes-CVE-2013-0340.patch Content-Transfer-Encoding: quoted-printable From=202589767bf405b837db06dadf1c9f990620f11a38 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 23 May 2021 14:22:16 +0200 Subject: [PATCH] gnu: expat: Replace with 2.4.0 [fixes CVE-2013-0340]. * gnu/packages/xml.scm (expat-2.4.0): New variable. (expat)[replacement]: New field. =2D-- gnu/packages/xml.scm | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index ad2e3ec6c9..cbd33326e8 100644 =2D-- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -13,7 +13,7 @@ ;;; Copyright =C2=A9 2016 Jan Nieuwenhuizen ;;; Copyright =C2=A9 2016, 2017 Nikita ;;; Copyright =C2=A9 2016=E2=80=932021 Tobias Geerinckx-Rice =2D;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020 Marius Bakke +;;; Copyright =C2=A9 2016, 2017, 2018, 2019, 2020, 2021 Marius Bakke ;;; Copyright =C2=A9 2017 Adriano Peluso ;;; Copyright =C2=A9 2017 Gregor Giesen ;;; Copyright =C2=A9 2017 Alex Vong @@ -121,6 +121,7 @@ the entire document.") (package (name "expat") (version "2.2.9") + (replacement expat-2.4.0) (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)= ))) (origin (method url-fetch) @@ -144,6 +145,24 @@ stream-oriented parser in which an application registe= rs handlers for things the parser might find in the XML document (like start tags).") (license license:expat))) =20 +;; Replacement package to fix CVE-2013-0340. +(define expat-2.4.0 + (package + (inherit expat) + (version "2.4.0") + (source (let ((dot->underscore (lambda (c) (if (char=3D? #\. c) #\_ c)= ))) + (origin + (method url-fetch) + (uri (list (string-append "mirror://sourceforge/expat/expa= t/" + version "/expat-" version ".tar.= xz") + (string-append + "https://github.com/libexpat/libexpat/releases= /download/R_" + (string-map dot->underscore version) + "/expat-" version ".tar.xz"))) + (sha256 + (base32 + "04hyv04ygicyajb9ancv02a7sj5v97d94m2bnrjr5fx03r84iib3"))= ))))) + (define-public libebml (package (name "libebml") =2D-=20 2.31.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYKpxfw8cbWFyaXVzQGdu dS5vcmcACgkQ6HGLpZEUEHdN7gEAqd57OAtYLb4Ax55KBrp/xcEsOgZpQP4FCCIR QoIClgEA/AxHrXNrADEEFdw5vySvFRgyHcn1tr+CYZwZ+Ys76AsK =jqio -----END PGP SIGNATURE----- --==-=-=--